[Pkg-shadow-devel] Bug#78961: passwd treats expiry=0 as expired while chage doesn't

Nicolas François Nicolas François , 78961@bugs.debian.org
Mon, 28 Mar 2005 01:24:04 +0200 

tags 78961 confirmed
thanks

On Thu, Dec 07, 2000 at 01:19:02AM +0100, Tomas Ogren wrote:
> If the user has the expiry field[0] set to 0 in /etc/shadow, the passwd
> command treats it as an expired account[1] whereas chage[2] displays
> that it will never expire. Removing the 0 to make the field empty makes
> passwd[3] and chage[2] accept it. I can ssh in with openssh.

I will try to provide a detailed analysis.  The fix is really close, you
didn't waited 4 years for nothing;)

The code of su or passwd (and probably many other shadow command, this
should be checked) uses PAM.
su     uses pam_acct_mgmt
passwd uses pam_chauthtok

In chage, the expiration verification is performed internally by shadow.

su consider the password will never expire, as chage.
passwd consider it has expired.

A better analysis may be required for the other shadow commands and for
the shadow code enclosed in "#ifndef USE_PAM" (which is not compiled
for the Debian packages).


> This did not happen in Debian 2.1. In Red Hat 7.0 you can neither su to
> the account (from non-root), run passwd nor login with openssh.
> 
> The question is.. what's right? is 0 disabled or enabled? Just lack of
> good spec?

That is the question, and the reason why I'm CCing the Debian PAM
maintainer.
Maybe Tomasz, you can also help on this issue.

Is there a specification on the expiry field?  IMHO PAM is standardized by
the Open Group, but to what extend?  Is this point specified?


I had a look at PAM's source.
In the pam_unix module:
 * pam_sm_acct_mgmt considers a sp_expire of 0 equivalent to -1 (i.e. no
   expiry specified in the shadow file, for a password which never expire)

 * pam_sm_chauthtok may[0] consider a null sp_expire field equivalent to
   an expiration date equal to Jan 01, 1970.

The pam_pwdb module also consider 0 equivalent to -1 in
_shadow_acct_mgmt_exp.



Currently, the best solution I can see is to document the fact that an
expiry field of 0 means the password never expire (not a lot of users will
want to set an expiry date of Jan 1, 1970), and to fix PAM and shadow's
sources accordingly.


[0] I've just read the source, I still need to test if passwd and su will
behave the same way if pam_sm_chauthtok is modified.  I will report here
or/and in a PAM bug.

Thanks in advance,
-- 
Nekral