Bug#321384: [Pkg-shadow-devel] Bug#321384: su refuses to change an expired password for root

Sat, 06 Aug 2005 08:42:29 -0700 

Thinking more about this, I have made the next
conclusions.

On Sat, Aug 06, 2005 at 01:05:50AM +0200, Nicolas François wrote:
> Can you have a look at this patch?
> 
> It performs an pam_chauthok when pam_acct_mgmt returns an
> PAM_CHANGE_EXPIRED_AUTHOK.

First, we have agreed upon the next variant for
PAM-enabled [part of] su:
>               if (amroot) {
>                       fprintf (stderr, _("%s: %s\n(Ignored)\n"), Prog,
>                                pam_strerror (pamh, ret));
> +             } else if (ret == PAM_NEW_AUTHTOK_REQD) {
> +                     ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
> +                     if (ret != PAM_SUCCESS) {
> +                             SYSLOG ((LOG_ERR, "pam_chauthtok: %s",
> +                                      pam_strerror (pamh, ret)));
> +                             fprintf (stderr, _("%s: %s\n"), Prog,
> +                                      pam_strerror (pamh, ret));
> +                             pam_end (pamh, ret);
> +                             su_failure (tty);
> +                     }
>               } else {
>                       SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s",
>                                pam_strerror (pamh, ret)));

As for additional LOG_NOTICE in front of 
"ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);",
this is not needed, because pam_chauthtok should do
necessary logging by itself and with pam_unix it does.

For example:
> su[12348]: (pam_unix) expired password for user xenon (root enforced)

/*
 * Everything described below is not important for
 * Debian, but we should assure consistent behavior of
 * both PAM and non-PAM su when lobbing patches into
 * upstream!!!
 */

Then, when built without PAM, su is still prone to the
bug, and there's no easy solution like pam_chauthtok(),
so the necessary functionality should be taken from
similar-purpose code from "login".

And for the latter code we should assure that an
attempt to use an account with expired _password_ is
logged with priority LOG_NOTICE, while failure to
change expired password and log in should be logged
with LOG_WARN, IMHO. Or with LOG_CRIT/LOG_ERROR when
_root's_ password changing attempt failed.

Currently, src/login.c implements this with
libmisc/age.c:expire() routine. BUT this routine does
only printf(), and no logging to syslog at all.

Tomasz: also there's puts("...\n") in expire()
-- 
WBR,
xrgtn


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to