Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 80223 - Abstraction violation: Bad responsibility separation between 'passwd' and PAM
Summary: Abstraction violation: Bad responsibility separation between 'passwd' and PAM
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Fedora
Classification: Fedora
Component: passwd
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-22 18:48 UTC by Konstantin Andreev
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-12-02 15:27:57 UTC


Attachments (Terms of Use)

Description Konstantin Andreev 2002-12-22 18:48:37 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)

Description of problem:
The following checks found in passwd.c source code:

1) L240: Only root can do that
2) L250: Only root can specify a user name
3) L299: Unknown user name

and, maybe (I'm not sure),

4) L290: Can not identify you

are not valid in PAM-aware password changing utility. These are the legacy 
checks, suitable for only pwdb ( /etc/{shadow,passwd} ) -aware utility. If 
using PAM, these check should be delegated to the corresponded pam_unix* and 
pam_pwdb modules.

Having these checks in 'passwd' will cause malfunctioning in the following 
environments:

1) where authentification subsystem, other than pwdb is used (some kind of 
remote authentification)
2) where filesystems supporting ACL are used.
3) ...

Version-Release number of selected component (if applicable):
passwd-0.67-3
pam-0.75-24

How reproducible: (not applicable)
Steps to Reproduce: (not applicable)
Actual Results:  (not applicable)
Expected Results:  (not applicable)

Comment 1 Tomas Mraz 2005-09-08 17:01:17 UTC
I will reconsider this in future.

Comment 2 Tomas Mraz 2005-12-02 12:45:29 UTC
Removing the checks would be a potential security problem as passwd is setuid
utility. Making passwd non-setuid would require changing pam_unix (and possibly
other PAM modules which take care of user passwords) to be able to change
passwords with uid != 0.


Comment 3 Konstantin Andreev 2005-12-02 13:22:25 UTC
(In reply to comment #2)
> Removing the checks would be a potential security problem as passwd is setuid
> utility. Making passwd non-setuid would require changing pam_unix (and 
possibly
> other PAM modules which take care of user passwords) to be able to change
> passwords with uid != 0.
> 

In other words, you are telling: "I do not know how to cope with this."

Yes, it's not easy. The question is not setuid OR not-setuid.  The question is 
about system design. You should change it to have a robust system.

Comment 4 Tomas Mraz 2005-12-02 15:27:57 UTC
No, I'm not telling "I do not know how to cope with this." I'm just telling
there aren't and in foreseeable future won't be resources available for doing this.

Feel free to create the necessary patches for all affected packages and submit
them for review.



Note You need to log in before you can comment on or make changes to this bug.