Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 81233

Summary: pam_unix - broken_shadow option
Product: [Retired] Red Hat Linux Reporter: M.Cerveny <m.cerveny>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: pam-0.77-63 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-27 07:26:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
necessary correction to ordinary broken_shadow patch none

Description M.Cerveny 2003-01-06 22:43:57 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.72 [en] (Windows NT 5.0; I)

Description of problem:
The "broken_shadow" option code has a bug. pam_unix can ignore invalid shadows.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
derived /etc/pam.d/system-auth

Actual Results:  sometimes ignore invalid shadow in account section in pam

Expected Results:  ignore only if option is set

Additional info:

add patch:

diff -uNr Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:08:14 2003
+++ Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:10:00 2003
@@ -145,7 +145,7 @@
 	if (!spent)
-		if (ctrl & UNIX_BROKEN_SHADOW) {
+		if (ctrl & unix_args[UNIX_BROKEN_SHADOW].flag) {
 			if (ubuf) {

Comment 1 buc 2003-11-04 13:53:27 UTC
  The actual problem.

  I want to make pam_unix account and pam_ldap account fully
independent. To do this, I use (/etc/pam.d/system-auth):

account     sufficient    /lib/security/
account     sufficient    /lib/security/

and (/etc/nsswitch.conf):

passwd:     files nisplus ldap
shadow:     files nisplus
group:      files nisplus ldap

  With these configs, original pam_unix account returns success for
all local unix users (and does not touch LDAP), and returns
"authinfo_unavail" for non-unix (ldap) users, which are satisfied by
the next pam_ldap account module.
  After "pam-0.75-unix-brokenshadow.patch" applied, the same should be
done if option "broken_shadow" IS NOT SET. But because of the bug in
this patch, pam_unix account module behavs like this option IS ALWAYS SET.
  Therefore, pam_unix always returns success, pam_ldap account is
never invoked, and LDAP restrictions for LDAP-users ("host",
"authorizedService" etc) are not checked :-(

  I am worry about this bug is not handled even in pam-77.*rpm of

Comment 2 Dmitry Butskoy 2004-08-23 16:29:36 UTC
Created attachment 102987 [details]
necessary correction to ordinary broken_shadow patch

Comment 3 Dmitry Butskoy 2004-08-23 16:36:00 UTC
Under RedHat-7.3 "broken_shadow" option behavеs like "always set" ;
under Fedora Core 1 "broken_shadow" behaves like "never set" ...

  Attachment (id=102987) is a "patch for patch" - it resolves this
problem. I think, it should not be an additional patch -- ordinary
"broken_shadow" code should be corrected. 

Comment 4 Tomas Mraz 2004-10-27 07:26:31 UTC
The patch was applied.