From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203 Description of problem: pam_unix.so lets a PAM_SUCCESS through in a failure condition when performing a password change (chauthtok). If no NIS password is updated and no local file-based password is updated, the default for retval (0 == PAM_SUCCESS) is returned. This is not correct. See attached patch. Modern Linux-PAM (v0.76) has this fix already. The user changing their password must be listed through getpwent (available through any of /etc/nsswitch.conf's services), but NOT on the local filesystem's /etc/passwd or /etc/shadow. Version-Release number of selected component (if applicable): pam-0.75-46 How reproducible: Always Steps to Reproduce: 1. Create some alternate nsswitch service to get passwd entries from. 2. Add another password module to the pam stack. 3. Attempt to change passwords for a user not on the local machine, but listed through getpwent. 4. Password is shown to have succeeded, but the alternate password pam module was never called. Actual Results: Password does not get updated, but pam_unix.so returns PAM_SUCCESS. Expected Results: pam_unix.so should fail, and let the next password module take over. Additional info:
Created attachment 90668 [details] Patch to fix the problem.
Created attachment 90670 [details] This patch is more complete. This also fixes the problem where NIS servers are queried even when the "nis" option isn't set.
FC2 uses pam-0.77