Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 86342 - pam_unix does not handle non-/etc/passwd password updates correctly
Summary: pam_unix does not handle non-/etc/passwd password updates correctly
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-03-20 02:04 UTC by Kees Cook
Modified: 2007-04-18 16:52 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-10-27 07:14:26 UTC


Attachments (Terms of Use)
Patch to fix the problem. (deleted)
2003-03-20 02:06 UTC, Kees Cook
no flags Details | Diff
This patch is more complete. (deleted)
2003-03-20 02:59 UTC, Kees Cook
no flags Details | Diff

Description Kees Cook 2003-03-20 02:04:34 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203

Description of problem:
pam_unix.so lets a PAM_SUCCESS through in a failure condition when performing a
password change (chauthtok).

If no NIS password is updated and no local file-based password is updated, the
default for retval (0 == PAM_SUCCESS) is returned.  This is not correct.

See attached patch.  Modern Linux-PAM (v0.76) has this fix already.

The user changing their password must be listed through getpwent (available
through any of /etc/nsswitch.conf's services), but NOT on the local filesystem's
/etc/passwd or /etc/shadow.


Version-Release number of selected component (if applicable):
pam-0.75-46

How reproducible:
Always

Steps to Reproduce:
1. Create some alternate nsswitch service to get passwd entries from.
2. Add another password module to the pam stack.
3. Attempt to change passwords for a user not on the local machine, but listed
through getpwent.
4. Password is shown to have succeeded, but the alternate password pam module
was never called.
    

Actual Results:  Password does not get updated, but pam_unix.so returns PAM_SUCCESS.

Expected Results:  pam_unix.so should fail, and let the next password module
take over.


Additional info:

Comment 1 Kees Cook 2003-03-20 02:06:58 UTC
Created attachment 90668 [details]
Patch to fix the problem.

Comment 2 Kees Cook 2003-03-20 02:59:17 UTC
Created attachment 90670 [details]
This patch is more complete.

This also fixes the problem where NIS servers are queried even when the "nis"
option isn't set.

Comment 3 Tomas Mraz 2004-10-27 07:14:26 UTC
FC2 uses pam-0.77


Note You need to log in before you can comment on or make changes to this bug.