From fb860005117dc9e092649687dfa1304fb423efc5 Mon Sep 17 00:00:00 2001
From: ysf <ich@youssef.de>
Date: Thu, 17 Mar 2022 15:23:42 +0100
Subject: [PATCH] fixed pam auth skipping authorization

---
 CHANGELOG.md       | 3 +++
 pcs/daemon/auth.py | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 116d44535..682a40560 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,11 +13,14 @@
 - Booth ticket name validation ([rhbz#2053177])
 - Adding booth ticket doesn't report 'mode' as an uknown option anymore
   ([rhbz#2058243])
+- Pcs daemon was allowing expired accounts, and accounts with expired
+  passwords to login when using PAM auth. ([huntr#220307])
 
 [rhbz#2024522]: https://bugzilla.redhat.com/show_bug.cgi?id=2024522
 [rhbz#2053177]: https://bugzilla.redhat.com/show_bug.cgi?id=2053177
 [rhbz#2054671]: https://bugzilla.redhat.com/show_bug.cgi?id=2054671
 [rhbz#2058243]: https://bugzilla.redhat.com/show_bug.cgi?id=2058243
+[huntr#220307]: https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5/
 
 
 ## [0.11.2] - 2022-02-01
diff --git a/pcs/daemon/auth.py b/pcs/daemon/auth.py
index 736a641ea..7e7eb4884 100644
--- a/pcs/daemon/auth.py
+++ b/pcs/daemon/auth.py
@@ -64,6 +64,7 @@ def prep_fn(fn, restype, argtypes):
 strdup = prep_fn(libc.strdup, POINTER(c_char), [c_char_p])
 calloc = prep_fn(libc.calloc, c_void_p, [c_uint, c_uint])
 pam_authenticate = prep_fn(libpam.pam_authenticate, c_int, [pam_handle, c_int])
+pam_acct_mgmt = prep_fn(libpam.pam_acct_mgmt, c_int, [pam_handle, c_int])
 pam_end = prep_fn(libpam.pam_end, c_int, [pam_handle, c_int])
 pam_start = prep_fn(
     libpam.pam_start,
@@ -102,6 +103,8 @@ def conv(
     )
     if returncode == PAM_SUCCESS:
         returncode = pam_authenticate(pamh, 0)
+    if returncode == PAM_SUCCESS:
+        returncode = pam_acct_mgmt(pamh, 0)
     pam_end(pamh, returncode)
     return returncode == PAM_SUCCESS