Package: libpam0g Version: 1.0.1-5+lenny1 Severity: normal Upstream unix_chkpwd drops privileges and continues when a non-root user attempts to authenticate someone other than himself. The pam_unix_dont_trust_chkpwd_caller patch disables this behavior "pending analysis".
I have enabled the "broken_shadow" option due to a limitation of libnss-ldapd, and this is supposed to make pam_unix return success when getpwnam() returns something but getspnam() does not. However the code in pam_unix_acct.c will only do so if the error is PAM_AUTHINFO_UNAVAIL. The above debian patch returns PAM_AUTH_ERR, and so users cannot verify other users. I see two solutions: 1. Use setgid(getgid()) as suggested in the patch. This closely matches upstream. We'll end up returning PAM_AUTHINFO_UNAVAIL after getspnam() is called. 2. Change the "return PAM_AUTH_ERR" introduced by the patch to "return PAM_AUTHINFO_UNAVAIL", at least for the chkexpiry subcommand. I know of no workaround for this problem other than either patching PAM or running the service as root. -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam0g depends on: ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii libpam-runtime 1.0.1-5+lenny1 Runtime support for the PAM librar libpam0g recommends no packages. Versions of packages libpam0g suggests: ii libpam-doc 1.0.1-5+lenny1 Documentation of PAM -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
