From 6c3be9ced071e73e78451c82e8def9c5a5b02598 Mon Sep 17 00:00:00 2001
From: DMHalford <161769419+DMHalford@users.noreply.github.com>
Date: Thu, 15 May 2025 15:06:10 -0400
Subject: [PATCH] Prevent erroneous "Login blocked after [negative number]
 attempts" errors

For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.

This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.

This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.

* Only rudimentary tests were conducted
---
 usr/libexec/security-misc/pam-info | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 5f8198a..a0e86db 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -163,9 +163,9 @@ pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
 ## example pam_faillock_output_count:
 ## 4
 
-## Do not count the first two informational textual output lines
-## (starting with "user:" and "When").
-failed_login_counter=$(( pam_faillock_output_count - 2 ))
+## Do not count the first two informational textual output lines (starting with "user:" and "When") if present,
+## but ensure failed_login_counter is not set to a negative value.
+failed_login_counter=$( [ $(( pam_faillock_output_count - 2 )) -gt 0 ] && echo $(( pam_faillock_output_count - 2 )) || echo "0" )
 
 ## example failed_login_counter:
 ## 2