Bug 81233

Summary: pam_unix - broken_shadow option
Product: [Retired] Red Hat Linux Reporter: M.Cerveny <m.cerveny>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-0.77-63 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-27 07:26:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
necessary correction to ordinary broken_shadow patch none

Description M.Cerveny 2003-01-06 22:43:57 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.72 [en] (Windows NT 5.0; I)

Description of problem:
The "broken_shadow" option code has a bug. pam_unix can ignore invalid shadows.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
derived /etc/pam.d/system-auth


Actual Results:  sometimes ignore invalid shadow in account section in pam

Expected Results:  ignore only if option is set

Additional info:

add patch:

diff -uNr Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:08:14 2003
+++ Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:10:00 2003
@@ -145,7 +145,7 @@
 	}
 
 	if (!spent)
-		if (ctrl & UNIX_BROKEN_SHADOW) {
+		if (ctrl & unix_args[UNIX_BROKEN_SHADOW].flag) {
 			if (ubuf) {
 				free(ubuf);
 			}
Comment 1 buc 2003-11-04 13:53:27 UTC 
  The actual problem.

  I want to make pam_unix account and pam_ldap account fully
independent. To do this, I use (/etc/pam.d/system-auth):

account     sufficient    /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_ldap.so

and (/etc/nsswitch.conf):

passwd:     files nisplus ldap
shadow:     files nisplus
group:      files nisplus ldap

  With these configs, original pam_unix account returns success for
all local unix users (and does not touch LDAP), and returns
"authinfo_unavail" for non-unix (ldap) users, which are satisfied by
the next pam_ldap account module.
  After "pam-0.75-unix-brokenshadow.patch" applied, the same should be
done if option "broken_shadow" IS NOT SET. But because of the bug in
this patch, pam_unix account module behavs like this option IS ALWAYS SET.
  Therefore, pam_unix always returns success, pam_ldap account is
never invoked, and LDAP restrictions for LDAP-users ("host",
"authorizedService" etc) are not checked :-(

  I am worry about this bug is not handled even in pam-77.*rpm of
Severn...
Comment 2 Dmitry Butskoy 2004-08-23 16:29:36 UTC 
Created attachment 102987 [details]
necessary correction to ordinary broken_shadow patch
Comment 3 Dmitry Butskoy 2004-08-23 16:36:00 UTC 
Under RedHat-7.3 "broken_shadow" option behavеs like "always set" ;
under Fedora Core 1 "broken_shadow" behaves like "never set" ...

  Attachment (id=102987) is a "patch for patch" - it resolves this
problem. I think, it should not be an additional patch -- ordinary
"broken_shadow" code should be corrected.
Comment 4 Tomas Mraz 2004-10-27 07:26:31 UTC 
The patch was applied.