overlay coreos/user-patches: Add a user patch for sys-libs/pam

It's a patch for adding the account locking functionality. Signed-off-by: Krzesimir Nowak <knowak@microsoft.com>
2025-11-14 07:01:32 +01:00 · 2024-02-26 16:30:36 +01:00 · 2024-02-26 16:30:36 +01:00 · d4b29659d3
commit d4b29659d3
parent 2e94c9f2c7
2 changed files with 33 additions and 0 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/0001-Add-account-locking.patch
@ -0,0 +1,28 @@
+From 15730679e629a4f70b98e11accfcaa43e769bbef Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Tue, 5 Apr 2016 22:15:56 -0700
+Subject: [PATCH] Add account locking
+
+A leading exclamation mark in the password field in /etc/shadow
+indicates a locked account.
+---
+ modules/pam_unix/support.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index b95f95e6..947525ce 100644
+--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
+@@ -877,6 +877,9 @@ _unix_verify_user(pam_handle_t *pamh,
+         return retval;
+     }
+ 
+    if (pwent->pw_passwd != NULL && pwent->pw_passwd[0] == '!')
+        return PAM_PERM_DENIED;
+
+     if (retval == PAM_SUCCESS && spent == NULL)
+         return PAM_SUCCESS;
+ 
+-- 
+2.51.0
+
--- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-libs/pam/README.md
@ -0,0 +1,5 @@
+The patch adds some locking behavior. Upstream didn't want it:
+https://github.com/linux-pam/linux-pam/issues/261.
+
+Possibly it should be dropped in favor of `chage -E 0`, as mentioned
+in the issue.