Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 81233 - pam_unix - broken_shadow option
Summary: pam_unix - broken_shadow option
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2003-01-06 22:43 UTC by M.Cerveny
Modified: 2015-01-08 00:02 UTC (History)
1 user (show)

Fixed In Version: pam-0.77-63
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-10-27 07:26:31 UTC

Attachments (Terms of Use)
necessary correction to ordinary broken_shadow patch (deleted)
2004-08-23 16:29 UTC, Dmitry Butskoy
no flags Details | Diff

Description M.Cerveny 2003-01-06 22:43:57 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.72 [en] (Windows NT 5.0; I)

Description of problem:
The "broken_shadow" option code has a bug. pam_unix can ignore invalid shadows.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
derived /etc/pam.d/system-auth

Actual Results:  sometimes ignore invalid shadow in account section in pam

Expected Results:  ignore only if option is set

Additional info:

add patch:

diff -uNr Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:08:14 2003
+++ Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:10:00 2003
@@ -145,7 +145,7 @@
 	if (!spent)
-		if (ctrl & UNIX_BROKEN_SHADOW) {
+		if (ctrl & unix_args[UNIX_BROKEN_SHADOW].flag) {
 			if (ubuf) {

Comment 1 buc 2003-11-04 13:53:27 UTC
  The actual problem.

  I want to make pam_unix account and pam_ldap account fully
independent. To do this, I use (/etc/pam.d/system-auth):

account     sufficient    /lib/security/
account     sufficient    /lib/security/

and (/etc/nsswitch.conf):

passwd:     files nisplus ldap
shadow:     files nisplus
group:      files nisplus ldap

  With these configs, original pam_unix account returns success for
all local unix users (and does not touch LDAP), and returns
"authinfo_unavail" for non-unix (ldap) users, which are satisfied by
the next pam_ldap account module.
  After "pam-0.75-unix-brokenshadow.patch" applied, the same should be
done if option "broken_shadow" IS NOT SET. But because of the bug in
this patch, pam_unix account module behavs like this option IS ALWAYS SET.
  Therefore, pam_unix always returns success, pam_ldap account is
never invoked, and LDAP restrictions for LDAP-users ("host",
"authorizedService" etc) are not checked :-(

  I am worry about this bug is not handled even in pam-77.*rpm of

Comment 2 Dmitry Butskoy 2004-08-23 16:29:36 UTC
Created attachment 102987 [details]
necessary correction to ordinary broken_shadow patch

Comment 3 Dmitry Butskoy 2004-08-23 16:36:00 UTC
Under RedHat-7.3 "broken_shadow" option behavеs like "always set" ;
under Fedora Core 1 "broken_shadow" behaves like "never set" ...

  Attachment (id=102987) is a "patch for patch" - it resolves this
problem. I think, it should not be an additional patch -- ordinary
"broken_shadow" code should be corrected. 

Comment 4 Tomas Mraz 2004-10-27 07:26:31 UTC
The patch was applied.

Note You need to log in before you can comment on or make changes to this bug.