Bug#321384: [Pkg-shadow-devel] Bug#321384: su refuses to change an expired password for root

Alexander Gattin arg at online.com.ua
Sat Aug 6 15:19:15 UTC 2005 

Thinking more about this, I have made the next
conclusions.

On Sat, Aug 06, 2005 at 01:05:50AM +0200, Nicolas François wrote:
> Can you have a look at this patch?
> 
> It performs an pam_chauthok when pam_acct_mgmt returns an
> PAM_CHANGE_EXPIRED_AUTHOK.

First, we have agreed upon the next variant for
PAM-enabled [part of] su:
>  		if (amroot) {
>  			fprintf (stderr, _("%s: %s\n(Ignored)\n"), Prog,
>  				 pam_strerror (pamh, ret));
> +		} else if (ret == PAM_NEW_AUTHTOK_REQD) {
> +			ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
> +			if (ret != PAM_SUCCESS) {
> +				SYSLOG ((LOG_ERR, "pam_chauthtok: %s",
> +				         pam_strerror (pamh, ret)));
> +				fprintf (stderr, _("%s: %s\n"), Prog,
> +				         pam_strerror (pamh, ret));
> +				pam_end (pamh, ret);
> +				su_failure (tty);
> +			}
>  		} else {
>  			SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s",
>  				 pam_strerror (pamh, ret)));

As for additional LOG_NOTICE in front of 
"ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);",
this is not needed, because pam_chauthtok should do
necessary logging by itself and with pam_unix it does.

For example:
> su[12348]: (pam_unix) expired password for user xenon (root enforced)

/*
 * Everything described below is not important for
 * Debian, but we should assure consistent behavior of
 * both PAM and non-PAM su when lobbing patches into
 * upstream!!!
 */

Then, when built without PAM, su is still prone to the
bug, and there's no easy solution like pam_chauthtok(),
so the necessary functionality should be taken from
similar-purpose code from "login".

And for the latter code we should assure that an
attempt to use an account with expired _password_ is
logged with priority LOG_NOTICE, while failure to
change expired password and log in should be logged
with LOG_WARN, IMHO. Or with LOG_CRIT/LOG_ERROR when
_root's_ password changing attempt failed.

Currently, src/login.c implements this with
libmisc/age.c:expire() routine. BUT this routine does
only printf(), and no logging to syslog at all.

Tomasz: also there's puts("...\n") in expire()
-- 
WBR,
xrgtn

More information about the Pkg-shadow-devel mailing list