Bug#735670: [Pkg-xfce-devel] Bug#735670: lightdm ask ldap administrator password when changing a password expired

Fri, 24 Jan 2014 07:40:11 -0800 

Il 24/01/2014 13:25, Yves-Alexis Perez ha scritto:
> I think you need to push that upstream, see
> https://bugs.launchpad.net/lightdm/+bug/869501

I did it, I hope it is understandable :o)

> 
> Also, I have not much knowledge about PAM, but that's really not the
> documented behavior of that flag:
> 
>        PAM_CHANGE_EXPIRED_AUTHTOK
>            This argument indicates to the modules that the users
>            authentication token (password) should only be changed if it has
>            expired. If this argument is not passed, the application requires
>            that all authentication tokens are to be changed.
> 
> If PAM behaves differently than advertised, it might be worth asking PAM 
> people
> about that.

I think that the man page absolutely missed the point or it's not
updated or... simply I can't understand what it says: what does it mean
"the application requires that _____all_____ authentication tokens are
to be changed"!? :-)

We have only _____one_____ authentication token, the password.
By looking at the code of the modules (pam_ldapd, pam_unix, ...) the
missing flag seems to be considered as "act as admin": so, in my
opinion, the sentence maybe read as "If this argument is not passed, the
application requires that ALL/OTHER USERS authentication tokens are to
be changed" and so you need special powers: the admin's password for
pam_ldapd.
For pam_unix instead, because lightdm runs as root, it doesn't need to
ask for the root password. At the same time, doing the change as
root/admin cause to be able to skip some restrictions (pass complexity,
pass length, ecc.) - also pam_cracklib is involved.

Look at these comments:

nss-pam-ldapd-0.8.10$ grep -n4 -r PAM_CHANGE_EXPIRED_AUTHTOK *
pam/pam.c-570-  {
pam/pam.c-571-    /* see if the user is trying to modify another user's
password */
pam/pam.c-572-    pwent=getpwnam(username);
pam/pam.c-573-    myuid=getuid();
pam/pam.c:574:    if
((pwent!=NULL)&&(pwent->pw_uid!=myuid)&&(!(flags&PAM_CHANGE_EXPIRED_AUTHTOK)))
pam/pam.c-575-    {
pam/pam.c-576-      /* we are root so we can test if nslcd will allow us
to change the
pam/pam.c-577-         user's password without the admin password */
pam/pam.c-578-      if (myuid==0)

Thank you!

Regards

G.

<<attachment: giulio.vcf>>

Reply via email to