From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 95) Description of problem: The following checks found in passwd.c source code: 1) L240: Only root can do that 2) L250: Only root can specify a user name 3) L299: Unknown user name and, maybe (I'm not sure), 4) L290: Can not identify you are not valid in PAM-aware password changing utility. These are the legacy checks, suitable for only pwdb ( /etc/{shadow,passwd} ) -aware utility. If using PAM, these check should be delegated to the corresponded pam_unix* and pam_pwdb modules. Having these checks in 'passwd' will cause malfunctioning in the following environments: 1) where authentification subsystem, other than pwdb is used (some kind of remote authentification) 2) where filesystems supporting ACL are used. 3) ... Version-Release number of selected component (if applicable): passwd-0.67-3 pam-0.75-24 How reproducible: (not applicable) Steps to Reproduce: (not applicable) Actual Results: (not applicable) Expected Results: (not applicable)
I will reconsider this in future.
Removing the checks would be a potential security problem as passwd is setuid utility. Making passwd non-setuid would require changing pam_unix (and possibly other PAM modules which take care of user passwords) to be able to change passwords with uid != 0.
(In reply to comment #2) > Removing the checks would be a potential security problem as passwd is setuid > utility. Making passwd non-setuid would require changing pam_unix (and possibly > other PAM modules which take care of user passwords) to be able to change > passwords with uid != 0. > In other words, you are telling: "I do not know how to cope with this." Yes, it's not easy. The question is not setuid OR not-setuid. The question is about system design. You should change it to have a robust system.
No, I'm not telling "I do not know how to cope with this." I'm just telling there aren't and in foreseeable future won't be resources available for doing this. Feel free to create the necessary patches for all affected packages and submit them for review.