Red Hat Bugzilla – Bug 86342
pam_unix does not handle non-/etc/passwd password updates correctly
Last modified: 2007-04-18 12:52:13 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203
Description of problem:
pam_unix.so lets a PAM_SUCCESS through in a failure condition when performing a
password change (chauthtok).
If no NIS password is updated and no local file-based password is updated, the
default for retval (0 == PAM_SUCCESS) is returned. This is not correct.
See attached patch. Modern Linux-PAM (v0.76) has this fix already.
The user changing their password must be listed through getpwent (available
through any of /etc/nsswitch.conf's services), but NOT on the local filesystem's
/etc/passwd or /etc/shadow.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create some alternate nsswitch service to get passwd entries from.
2. Add another password module to the pam stack.
3. Attempt to change passwords for a user not on the local machine, but listed
4. Password is shown to have succeeded, but the alternate password pam module
was never called.
Actual Results: Password does not get updated, but pam_unix.so returns PAM_SUCCESS.
Expected Results: pam_unix.so should fail, and let the next password module
Created attachment 90668 [details]
Patch to fix the problem.
Created attachment 90670 [details]
This patch is more complete.
This also fixes the problem where NIS servers are queried even when the "nis"
option isn't set.
FC2 uses pam-0.77