Bug 80223

Summary: Abstraction violation: Bad responsibility separation between 'passwd' and PAM
Product: [Fedora] Fedora Reporter: Konstantin Andreev <pka>
Component: passwdAssignee: Tomas Mraz <tmraz>
Status: CLOSED DEFERRED QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mitr
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-02 15:27:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Konstantin Andreev 2002-12-22 18:48:37 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)

Description of problem:
The following checks found in passwd.c source code:

1) L240: Only root can do that
2) L250: Only root can specify a user name
3) L299: Unknown user name

and, maybe (I'm not sure),

4) L290: Can not identify you

are not valid in PAM-aware password changing utility. These are the legacy 
checks, suitable for only pwdb ( /etc/{shadow,passwd} ) -aware utility. If 
using PAM, these check should be delegated to the corresponded pam_unix* and 
pam_pwdb modules.

Having these checks in 'passwd' will cause malfunctioning in the following 
environments:

1) where authentification subsystem, other than pwdb is used (some kind of 
remote authentification)
2) where filesystems supporting ACL are used.
3) ...

Version-Release number of selected component (if applicable):
passwd-0.67-3
pam-0.75-24

How reproducible: (not applicable)
Steps to Reproduce: (not applicable)
Actual Results:  (not applicable)
Expected Results:  (not applicable)
Comment 1 Tomas Mraz 2005-09-08 17:01:17 UTC 
I will reconsider this in future.
Comment 2 Tomas Mraz 2005-12-02 12:45:29 UTC 
Removing the checks would be a potential security problem as passwd is setuid
utility. Making passwd non-setuid would require changing pam_unix (and possibly
other PAM modules which take care of user passwords) to be able to change
passwords with uid != 0.
Comment 3 Konstantin Andreev 2005-12-02 13:22:25 UTC 
(In reply to comment #2)
> Removing the checks would be a potential security problem as passwd is setuid
> utility. Making passwd non-setuid would require changing pam_unix (and 
possibly
> other PAM modules which take care of user passwords) to be able to change
> passwords with uid != 0.
> 

In other words, you are telling: "I do not know how to cope with this."

Yes, it's not easy. The question is not setuid OR not-setuid.  The question is 
about system design. You should change it to have a robust system.
Comment 4 Tomas Mraz 2005-12-02 15:27:57 UTC 
No, I'm not telling "I do not know how to cope with this." I'm just telling
there aren't and in foreseeable future won't be resources available for doing this.

Feel free to create the necessary patches for all affected packages and submit
them for review.