Bug 1017518

Summary:	authconfig should care about values passed to password policy options
Product:	Red Hat Enterprise Linux 7	Reporter:	David Spurek <dspurek>
Component:	authconfig	Assignee:	Tomas Mraz <tmraz>
Status:	CLOSED CURRENTRELEASE	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.0	CC:	dspurek, ebenes
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	authconfig-6.2.8-1.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-13 10:35:09 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description David Spurek 2013-10-10 05:31:19 UTC

Description of problem:
authconfig should care about values passed to password policy options.
These options are:
--passminlen=<number>
--passminclass=<number>
--passmaxrepeat=<number>
--passmaxclassrepeat=<number>

1)passminlen mustn't be set to lower then 6 (see note in /etc/security/pwquality.conf).
2) Values less then 0 (for example -3) shouldn't be allowed. Authconfig should return values != 0 in these cases.

3)Set option to float value cause error, but return code is 0, this should be fixed too.

Steps 2 and 3 should be fixed for all options mentioned on the begining.

Version-Release number of selected component (if applicable):
authconfig-6.2.7-1.el7

How reproducible:
always

Steps to Reproduce:
1.authconfig --update --passminlen=3
2.authconfig --update --passminlen=-3
3.authconfig --update --passminlen=8.5

Actual results:
1)
#:: [   PASS   ] :: Running 'authconfig --update --passminlen=3' (Expected 0, got 0)
#EXP_SCRIPT=/tmp/tmp.S6rjksz7nY
#spawn su - testuser_bz515809
#Last login: Wed Oct  9 10:59:42 EDT 2013 on pts/1
#[testuser_bz515809@ibm-x3650m4-01-vm-05 ~]$ passwd
#Changing password for user testuser_bz515809.
#Changing password for testuser_bz515809.
#(current) UNIX password: 
#passwd: Authentication token manipulation error
#[testuser_bz515809@ibm-x3650m4-01-vm-05 ~]$ RET=234
#:: [   FAIL   ] :: Running 'test_pass_change testuser_bz515809 jjlhahsd qlk' (Expected 0, got 234)

passminlen set to value < 6 is allowed, value is stored to /etc/security/pwquality.conf but passwd change fail. 

2)
#[test]authconfig --update --passminlen=-3
#Boolean allow_ypbind is not defined
#Boolean authlogin_nsswitch_use_ldap is not defined
#[test]echo $?
#0

This case should cause error (message should be thrown on output), return code should be != 0

3)
#[test]authconfig --update --passminlen=8.5
#authconfig: The passminlen option value is not an integer
#[test]echo $?
#0

This case causes error, but return code should be != 0


Expected results:


Additional info:

Comment 1 David Spurek 2013-10-10 07:15:55 UTC

Other issue found:

4) --passminclass=<number> - minimum number of character classes in a password
We have only 4 types of classes - digits, lowercase, uppercase, other.
So only values 1-4 should be permitted.

:: [   FAIL   ] :: Running 'authconfig --update --passminclass=5' (Expected 1-255, got 0)

Comment 2 David Spurek 2013-10-10 12:44:53 UTC

When I use authconfig-gtk and pass number '-3' for example, it is automatically set to value 5, but this is not good as minlen value because it shouldn't be set lower than 6.

Comment 5 Ludek Smid 2014-06-13 10:35:09 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.