First Last Prev Next    This bug is not in your last search results.
Bug 81233 - pam_unix - broken_shadow option
pam_unix - broken_shadow option
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
7.3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-01-06 17:43 EST by M.Cerveny
Modified: 2015-01-07 19:02 EST (History)
1 user (show)

See Also:
Fixed In Version: pam-0.77-63
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-27 03:26:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
necessary correction to ordinary broken_shadow patch (441 bytes, patch)
2004-08-23 12:29 EDT, Dmitry Butskoy 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description M.Cerveny 2003-01-06 17:43:57 EST 
From Bugzilla Helper:
User-Agent: Mozilla/4.72 [en] (Windows NT 5.0; I)

Description of problem:
The "broken_shadow" option code has a bug. pam_unix can ignore invalid shadows.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
derived /etc/pam.d/system-auth


Actual Results:  sometimes ignore invalid shadow in account section in pam

Expected Results:  ignore only if option is set

Additional info:

add patch:

diff -uNr Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-0.75.orig/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:08:14 2003
+++ Linux-PAM-0.75/modules/pam_unix/pam_unix_acct.c	Mon Jan  6 22:10:00 2003
@@ -145,7 +145,7 @@
 	}
 
 	if (!spent)
-		if (ctrl & UNIX_BROKEN_SHADOW) {
+		if (ctrl & unix_args[UNIX_BROKEN_SHADOW].flag) {
 			if (ubuf) {
 				free(ubuf);
 			}
Comment 1 buc 2003-11-04 08:53:27 EST 
  The actual problem.

  I want to make pam_unix account and pam_ldap account fully
independent. To do this, I use (/etc/pam.d/system-auth):

account     sufficient    /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_ldap.so

and (/etc/nsswitch.conf):

passwd:     files nisplus ldap
shadow:     files nisplus
group:      files nisplus ldap

  With these configs, original pam_unix account returns success for
all local unix users (and does not touch LDAP), and returns
"authinfo_unavail" for non-unix (ldap) users, which are satisfied by
the next pam_ldap account module.
  After "pam-0.75-unix-brokenshadow.patch" applied, the same should be
done if option "broken_shadow" IS NOT SET. But because of the bug in
this patch, pam_unix account module behavs like this option IS ALWAYS SET.
  Therefore, pam_unix always returns success, pam_ldap account is
never invoked, and LDAP restrictions for LDAP-users ("host",
"authorizedService" etc) are not checked :-(

  I am worry about this bug is not handled even in pam-77.*rpm of
Severn...
Comment 2 Dmitry Butskoy 2004-08-23 12:29:36 EDT 
Created attachment 102987 [details]
necessary correction to ordinary broken_shadow patch
Comment 3 Dmitry Butskoy 2004-08-23 12:36:00 EDT 
Under RedHat-7.3 "broken_shadow" option behavеs like "always set" ;
under Fedora Core 1 "broken_shadow" behaves like "never set" ...

  Attachment (id=102987) is a "patch for patch" - it resolves this
problem. I think, it should not be an additional patch -- ordinary
"broken_shadow" code should be corrected.
Comment 4 Tomas Mraz 2004-10-27 03:26:31 EDT 
The patch was applied.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.