From Bugzilla Helper: User-Agent: Mozilla/4.72 [en] (Windows NT 5.0; I) Description of problem: The "broken_shadow" option code has a bug. pam_unix can ignore invalid shadows. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: derived /etc/pam.d/system-auth Actual Results: sometimes ignore invalid shadow in account section in pam Expected Results: ignore only if option is set Additional info: add patch: diff -uNr Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c --- Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c Mon Jan 6 22:08:14 2003 +++ Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c Mon Jan 6 22:10:00 2003 @@ -145,7 +145,7 @@ } if (!spent) - if (ctrl & UNIX_BROKEN_SHADOW) { + if (ctrl & unix_args[UNIX_BROKEN_SHADOW].flag) { if (ubuf) { free(ubuf); }
The actual problem. I want to make pam_unix account and pam_ldap account fully independent. To do this, I use (/etc/pam.d/system-auth): account sufficient /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so and (/etc/nsswitch.conf): passwd: files nisplus ldap shadow: files nisplus group: files nisplus ldap With these configs, original pam_unix account returns success for all local unix users (and does not touch LDAP), and returns "authinfo_unavail" for non-unix (ldap) users, which are satisfied by the next pam_ldap account module. After "pam-0.75-unix-brokenshadow.patch" applied, the same should be done if option "broken_shadow" IS NOT SET. But because of the bug in this patch, pam_unix account module behavs like this option IS ALWAYS SET. Therefore, pam_unix always returns success, pam_ldap account is never invoked, and LDAP restrictions for LDAP-users ("host", "authorizedService" etc) are not checked :-( I am worry about this bug is not handled even in pam-77.*rpm of Severn...
Created attachment 102987 [details] necessary correction to ordinary broken_shadow patch
Under RedHat-7.3 "broken_shadow" option behavеs like "always set" ; under Fedora Core 1 "broken_shadow" behaves like "never set" ... Attachment (id=102987) is a "patch for patch" - it resolves this problem. I think, it should not be an additional patch -- ordinary "broken_shadow" code should be corrected.
The patch was applied.