Bug 86342 - pam_unix does not handle non-/etc/passwd password updates correctly
Summary: pam_unix does not handle non-/etc/passwd password updates correctly
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2003-03-20 02:04 UTC by Kees Cook
Modified: 2007-04-18 16:52 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-10-27 07:14:26 UTC

Attachments (Terms of Use)
Patch to fix the problem. (834 bytes, patch)
2003-03-20 02:06 UTC, Kees Cook
no flags Details | Diff
This patch is more complete. (1.43 KB, patch)
2003-03-20 02:59 UTC, Kees Cook
no flags Details | Diff

Description Kees Cook 2003-03-20 02:04:34 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203

Description of problem:
pam_unix.so lets a PAM_SUCCESS through in a failure condition when performing a
password change (chauthtok).

If no NIS password is updated and no local file-based password is updated, the
default for retval (0 == PAM_SUCCESS) is returned.  This is not correct.

See attached patch.  Modern Linux-PAM (v0.76) has this fix already.

The user changing their password must be listed through getpwent (available
through any of /etc/nsswitch.conf's services), but NOT on the local filesystem's
/etc/passwd or /etc/shadow.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create some alternate nsswitch service to get passwd entries from.
2. Add another password module to the pam stack.
3. Attempt to change passwords for a user not on the local machine, but listed
through getpwent.
4. Password is shown to have succeeded, but the alternate password pam module
was never called.

Actual Results:  Password does not get updated, but pam_unix.so returns PAM_SUCCESS.

Expected Results:  pam_unix.so should fail, and let the next password module
take over.

Additional info:

Comment 1 Kees Cook 2003-03-20 02:06:58 UTC
Created attachment 90668 [details]
Patch to fix the problem.

Comment 2 Kees Cook 2003-03-20 02:59:17 UTC
Created attachment 90670 [details]
This patch is more complete.

This also fixes the problem where NIS servers are queried even when the "nis"
option isn't set.

Comment 3 Tomas Mraz 2004-10-27 07:14:26 UTC
FC2 uses pam-0.77

Note You need to log in before you can comment on or make changes to this bug.