Bug 81233 - pam_unix - broken_shadow option
Summary: pam_unix - broken_shadow option
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-01-06 22:43 UTC by M.Cerveny
Modified: 2015-01-08 00:02 UTC (History)
1 user (show)

Fixed In Version: pam-0.77-63
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-10-27 07:26:31 UTC

Attachments (Terms of Use)
necessary correction to ordinary broken_shadow patch (441 bytes, patch)
2004-08-23 16:29 UTC, Dmitry Butskoy 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description M.Cerveny 2003-01-06 22:43:57 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.72 [en] (Windows NT 5.0; I)

Description of problem:
The "broken_shadow" option code has a bug. pam_unix can ignore invalid shadows.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
derived /etc/pam.d/system-auth


Actual Results:  sometimes ignore invalid shadow in account section in pam

Expected Results:  ignore only if option is set

Additional info:

add patch:

diff -uNr Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:08:14 2003
+++ Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:10:00 2003
@@ -145,7 +145,7 @@
 	}
 
 	if (!spent)
-		if (ctrl & UNIX_BROKEN_SHADOW) {
+		if (ctrl & unix_args[UNIX_BROKEN_SHADOW].flag) {
 			if (ubuf) {
 				free(ubuf);
 			}
Comment 1 buc 2003-11-04 13:53:27 UTC 
  The actual problem.

  I want to make pam_unix account and pam_ldap account fully
independent. To do this, I use (/etc/pam.d/system-auth):

account     sufficient    /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_ldap.so

and (/etc/nsswitch.conf):

passwd:     files nisplus ldap
shadow:     files nisplus
group:      files nisplus ldap

  With these configs, original pam_unix account returns success for
all local unix users (and does not touch LDAP), and returns
"authinfo_unavail" for non-unix (ldap) users, which are satisfied by
the next pam_ldap account module.
  After "pam-0.75-unix-brokenshadow.patch" applied, the same should be
done if option "broken_shadow" IS NOT SET. But because of the bug in
this patch, pam_unix account module behavs like this option IS ALWAYS SET.
  Therefore, pam_unix always returns success, pam_ldap account is
never invoked, and LDAP restrictions for LDAP-users ("host",
"authorizedService" etc) are not checked :-(

  I am worry about this bug is not handled even in pam-77.*rpm of
Severn...
Comment 2 Dmitry Butskoy 2004-08-23 16:29:36 UTC 
Created attachment 102987 [details]
necessary correction to ordinary broken_shadow patch
Comment 3 Dmitry Butskoy 2004-08-23 16:36:00 UTC 
Under RedHat-7.3 "broken_shadow" option behavеs like "always set" ;
under Fedora Core 1 "broken_shadow" behaves like "never set" ...

  Attachment (id=102987) is a "patch for patch" - it resolves this
problem. I think, it should not be an additional patch -- ordinary
"broken_shadow" code should be corrected.
Comment 4 Tomas Mraz 2004-10-27 07:26:31 UTC 
The patch was applied.
Note You need to log in before you can comment on or make changes to this bug.