Bug 86342
| Summary: | pam_unix does not handle non-/etc/passwd password updates correctly | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Kees Cook <kees> | ||||||
| Component: | pam | Assignee: | Tomas Mraz <tmraz> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 9 | Keywords: | Patch, Security | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2004-10-27 07:14:26 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 90668 [details]
Patch to fix the problem.
Created attachment 90670 [details]
This patch is more complete.
This also fixes the problem where NIS servers are queried even when the "nis"
option isn't set.
FC2 uses pam-0.77 |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203 Description of problem: pam_unix.so lets a PAM_SUCCESS through in a failure condition when performing a password change (chauthtok). If no NIS password is updated and no local file-based password is updated, the default for retval (0 == PAM_SUCCESS) is returned. This is not correct. See attached patch. Modern Linux-PAM (v0.76) has this fix already. The user changing their password must be listed through getpwent (available through any of /etc/nsswitch.conf's services), but NOT on the local filesystem's /etc/passwd or /etc/shadow. Version-Release number of selected component (if applicable): pam-0.75-46 How reproducible: Always Steps to Reproduce: 1. Create some alternate nsswitch service to get passwd entries from. 2. Add another password module to the pam stack. 3. Attempt to change passwords for a user not on the local machine, but listed through getpwent. 4. Password is shown to have succeeded, but the alternate password pam module was never called. Actual Results: Password does not get updated, but pam_unix.so returns PAM_SUCCESS. Expected Results: pam_unix.so should fail, and let the next password module take over. Additional info: