diff options
Diffstat (limited to 'src/shared')
| -rw-r--r-- | src/shared/mount-util.c | 7 | ||||
| -rw-r--r-- | src/shared/ptyfwd.c | 5 | ||||
| -rw-r--r-- | src/shared/user-record-show.c | 15 | ||||
| -rw-r--r-- | src/shared/user-record.c | 25 |
4 files changed, 37 insertions, 15 deletions
diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c index 4d40acfb4c..53fb46e7bc 100644 --- a/src/shared/mount-util.c +++ b/src/shared/mount-util.c @@ -282,7 +282,10 @@ int bind_remount_recursive_with_mountinfo( r = path_is_mount_point(x, NULL, 0); if (IN_SET(r, 0, -ENOENT)) continue; - if (IN_SET(r, -EACCES, -EPERM)) { + if (r < 0) { + if (!ERRNO_IS_PRIVILEGE(r)) + return r; + /* Even if root user invoke this, submounts under private FUSE or NFS mount points * may not be acceessed. E.g., * @@ -294,8 +297,6 @@ int bind_remount_recursive_with_mountinfo( log_debug_errno(r, "Failed to determine '%s' is mount point or not, ignoring: %m", x); continue; } - if (r < 0) - return r; /* Try to reuse the original flag set */ orig_flags = 0; diff --git a/src/shared/ptyfwd.c b/src/shared/ptyfwd.c index 6d67c079e4..bb372d4001 100644 --- a/src/shared/ptyfwd.c +++ b/src/shared/ptyfwd.c @@ -16,6 +16,7 @@ #include "sd-event.h" #include "alloc-util.h" +#include "errno-util.h" #include "fd-util.h" #include "log.h" #include "macro.h" @@ -195,7 +196,7 @@ static int shovel(PTYForward *f) { if (errno == EAGAIN) f->stdin_readable = false; - else if (IN_SET(errno, EIO, EPIPE, ECONNRESET)) { + else if (errno == EIO || ERRNO_IS_DISCONNECT(errno)) { f->stdin_readable = false; f->stdin_hangup = true; @@ -279,7 +280,7 @@ static int shovel(PTYForward *f) { if (errno == EAGAIN) f->stdout_writable = false; - else if (IN_SET(errno, EIO, EPIPE, ECONNRESET)) { + else if (errno == EIO || ERRNO_IS_DISCONNECT(errno)) { f->stdout_writable = false; f->stdout_hangup = true; f->stdout_event_source = sd_event_source_unref(f->stdout_event_source); diff --git a/src/shared/user-record-show.c b/src/shared/user-record-show.c index 33787c083f..9046fafcb2 100644 --- a/src/shared/user-record-show.c +++ b/src/shared/user-record-show.c @@ -45,6 +45,10 @@ void user_record_show(UserRecord *hr, bool show_full_group_info) { if (hr->last_change_usec != USEC_INFINITY) { char buf[FORMAT_TIMESTAMP_MAX]; printf(" Last Change: %s\n", format_timestamp(buf, sizeof(buf), hr->last_change_usec)); + + if (hr->last_change_usec > now(CLOCK_REALTIME)) + printf(" %sModification time lies in the future, system clock wrong?%s\n", + ansi_highlight_yellow(), ansi_normal()); } if (hr->last_password_change_usec != USEC_INFINITY && @@ -56,10 +60,6 @@ void user_record_show(UserRecord *hr, bool show_full_group_info) { r = user_record_test_blocked(hr); switch (r) { - case -ESTALE: - printf(" Login OK: %sno%s (last change time is in the future)\n", ansi_highlight_red(), ansi_normal()); - break; - case -ENOLCK: printf(" Login OK: %sno%s (record is locked)\n", ansi_highlight_red(), ansi_normal()); break; @@ -72,10 +72,11 @@ void user_record_show(UserRecord *hr, bool show_full_group_info) { printf(" Login OK: %sno%s (record not valid anymore))\n", ansi_highlight_red(), ansi_normal()); break; + case -ESTALE: default: { usec_t y; - if (r < 0) { + if (r < 0 && r != -ESTALE) { errno = -r; printf(" Login OK: %sno%s (%m)\n", ansi_highlight_red(), ansi_normal()); break; @@ -123,6 +124,10 @@ void user_record_show(UserRecord *hr, bool show_full_group_info) { printf(" Password OK: %schange not permitted%s\n", ansi_highlight_yellow(), ansi_normal()); break; + case -ESTALE: + printf(" Password OK: %slast password change in future%s\n", ansi_highlight_yellow(), ansi_normal()); + break; + default: if (r < 0) { errno = -r; diff --git a/src/shared/user-record.c b/src/shared/user-record.c index e04df4d78b..4149205b8a 100644 --- a/src/shared/user-record.c +++ b/src/shared/user-record.c @@ -1919,6 +1919,11 @@ uint64_t user_record_ratelimit_next_try(UserRecord *h) { h->ratelimit_count == UINT64_MAX) return UINT64_MAX; + if (h->ratelimit_begin_usec > now(CLOCK_REALTIME)) /* If the ratelimit time is in the future, then + * the local clock is probably incorrect. Let's + * not refuse login then. */ + return UINT64_MAX; + if (h->ratelimit_count < user_record_ratelimit_burst(h)) return 0; @@ -2025,19 +2030,20 @@ int user_record_test_blocked(UserRecord *h) { assert(h); - n = now(CLOCK_REALTIME); - if (h->last_change_usec != UINT64_MAX && - h->last_change_usec > n) /* Don't allow log ins when the record is from the future */ - return -ESTALE; - if (h->locked > 0) return -ENOLCK; + n = now(CLOCK_REALTIME); + if (h->not_before_usec != UINT64_MAX && n < h->not_before_usec) return -EL2HLT; if (h->not_after_usec != UINT64_MAX && n > h->not_after_usec) return -EL3HLT; + if (h->last_change_usec != UINT64_MAX && + h->last_change_usec > n) /* Complain during log-ins when the record is from the future */ + return -ESTALE; + return 0; } @@ -2055,6 +2061,7 @@ int user_record_test_password_change_required(UserRecord *h) { -EKEYEXPIRED: Password is about to expire, warn user -ENETDOWN: Record has expiration info but no password change timestamp -EROFS: No password change required nor permitted + -ESTALE: RTC likely incorrect, last password change is in the future 0: No password change required, but permitted */ @@ -2064,6 +2071,14 @@ int user_record_test_password_change_required(UserRecord *h) { n = now(CLOCK_REALTIME); + /* Password change in the future? Then our RTC is likely incorrect */ + if (h->last_password_change_usec != UINT64_MAX && + h->last_password_change_usec > n && + (h->password_change_min_usec != UINT64_MAX || + h->password_change_max_usec != UINT64_MAX || + h->password_change_inactive_usec != UINT64_MAX)) + return -ESTALE; + /* Then, let's check if password changing is currently allowed at all */ if (h->password_change_min_usec != UINT64_MAX) { |