Bug 86342 - pam_unix does not handle non-/etc/passwd password updates correctly
pam_unix does not handle non-/etc/passwd password updates correctly
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
: Patch, Security
Depends On:
  Show dependency treegraph
Reported: 2003-03-19 21:04 EST by Kees Cook
Modified: 2007-04-18 12:52 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-10-27 03:14:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to fix the problem. (834 bytes, patch)
2003-03-19 21:06 EST, Kees Cook
no flags Details | Diff
This patch is more complete. (1.43 KB, patch)
2003-03-19 21:59 EST, Kees Cook
no flags Details | Diff

  None (edit)
Description Kees Cook 2003-03-19 21:04:34 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203

Description of problem:
pam_unix.so lets a PAM_SUCCESS through in a failure condition when performing a
password change (chauthtok).

If no NIS password is updated and no local file-based password is updated, the
default for retval (0 == PAM_SUCCESS) is returned.  This is not correct.

See attached patch.  Modern Linux-PAM (v0.76) has this fix already.

The user changing their password must be listed through getpwent (available
through any of /etc/nsswitch.conf's services), but NOT on the local filesystem's
/etc/passwd or /etc/shadow.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create some alternate nsswitch service to get passwd entries from.
2. Add another password module to the pam stack.
3. Attempt to change passwords for a user not on the local machine, but listed
through getpwent.
4. Password is shown to have succeeded, but the alternate password pam module
was never called.

Actual Results:  Password does not get updated, but pam_unix.so returns PAM_SUCCESS.

Expected Results:  pam_unix.so should fail, and let the next password module
take over.

Additional info:
Comment 1 Kees Cook 2003-03-19 21:06:58 EST
Created attachment 90668 [details]
Patch to fix the problem.
Comment 2 Kees Cook 2003-03-19 21:59:17 EST
Created attachment 90670 [details]
This patch is more complete.

This also fixes the problem where NIS servers are queried even when the "nis"
option isn't set.
Comment 3 Tomas Mraz 2004-10-27 03:14:26 EDT
FC2 uses pam-0.77

Note You need to log in before you can comment on or make changes to this bug.