Bug 81233
Summary: | pam_unix - broken_shadow option | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | M.Cerveny <m.cerveny> | ||||
Component: | pam | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Jay Turner <jturner> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.3 | CC: | srevivo | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | pam-0.77-63 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-10-27 07:26:31 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
M.Cerveny
2003-01-06 22:43:57 UTC
The actual problem. I want to make pam_unix account and pam_ldap account fully independent. To do this, I use (/etc/pam.d/system-auth): account sufficient /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so and (/etc/nsswitch.conf): passwd: files nisplus ldap shadow: files nisplus group: files nisplus ldap With these configs, original pam_unix account returns success for all local unix users (and does not touch LDAP), and returns "authinfo_unavail" for non-unix (ldap) users, which are satisfied by the next pam_ldap account module. After "pam-0.75-unix-brokenshadow.patch" applied, the same should be done if option "broken_shadow" IS NOT SET. But because of the bug in this patch, pam_unix account module behavs like this option IS ALWAYS SET. Therefore, pam_unix always returns success, pam_ldap account is never invoked, and LDAP restrictions for LDAP-users ("host", "authorizedService" etc) are not checked :-( I am worry about this bug is not handled even in pam-77.*rpm of Severn... Created attachment 102987 [details]
necessary correction to ordinary broken_shadow patch
Under RedHat-7.3 "broken_shadow" option behavеs like "always set" ; under Fedora Core 1 "broken_shadow" behaves like "never set" ... Attachment (id=102987) is a "patch for patch" - it resolves this problem. I think, it should not be an additional patch -- ordinary "broken_shadow" code should be corrected. The patch was applied. |