This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 80223 - Abstraction violation: Bad responsibility separation between 'passwd' and PAM
Abstraction violation: Bad responsibility separation between 'passwd' and PAM
Status: CLOSED DEFERRED
Product: Fedora
Classification: Fedora
Component: passwd (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Mike McLean
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-22 13:48 EST by Konstantin Andreev
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-02 10:27:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Konstantin Andreev 2002-12-22 13:48:37 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)

Description of problem:
The following checks found in passwd.c source code:

1) L240: Only root can do that
2) L250: Only root can specify a user name
3) L299: Unknown user name

and, maybe (I'm not sure),

4) L290: Can not identify you

are not valid in PAM-aware password changing utility. These are the legacy 
checks, suitable for only pwdb ( /etc/{shadow,passwd} ) -aware utility. If 
using PAM, these check should be delegated to the corresponded pam_unix* and 
pam_pwdb modules.

Having these checks in 'passwd' will cause malfunctioning in the following 
environments:

1) where authentification subsystem, other than pwdb is used (some kind of 
remote authentification)
2) where filesystems supporting ACL are used.
3) ...

Version-Release number of selected component (if applicable):
passwd-0.67-3
pam-0.75-24

How reproducible: (not applicable)
Steps to Reproduce: (not applicable)
Actual Results:  (not applicable)
Expected Results:  (not applicable)
Comment 1 Tomas Mraz 2005-09-08 13:01:17 EDT
I will reconsider this in future.
Comment 2 Tomas Mraz 2005-12-02 07:45:29 EST
Removing the checks would be a potential security problem as passwd is setuid
utility. Making passwd non-setuid would require changing pam_unix (and possibly
other PAM modules which take care of user passwords) to be able to change
passwords with uid != 0.
Comment 3 Konstantin Andreev 2005-12-02 08:22:25 EST
(In reply to comment #2)
> Removing the checks would be a potential security problem as passwd is setuid
> utility. Making passwd non-setuid would require changing pam_unix (and 
possibly
> other PAM modules which take care of user passwords) to be able to change
> passwords with uid != 0.
> 

In other words, you are telling: "I do not know how to cope with this."

Yes, it's not easy. The question is not setuid OR not-setuid.  The question is 
about system design. You should change it to have a robust system.
Comment 4 Tomas Mraz 2005-12-02 10:27:57 EST
No, I'm not telling "I do not know how to cope with this." I'm just telling
there aren't and in foreseeable future won't be resources available for doing this.

Feel free to create the necessary patches for all affected packages and submit
them for review.

Note You need to log in before you can comment on or make changes to this bug.