[Pkg-shadow-devel] Bug#628671: passwd: Ordinary users can't change their passwords.

Sat Jun 25 10:39:03 UTC 2011

reassign 628671 libgcrypt11
forcemerge 566351 628671
thanks

On Tue, May 31, 2011 at 06:50:45PM +1000, Peter Chubb wrote:
> 
> I'm running a server that has most users authenticate via LDAP and SSL, but
> has a few local users with entries in /etc/shadow and /etc/passwd.
> 
> Thesse local users cannot change their passwords.  They see a message about Authentication token manipulation error
> 
> Running strace shows that passwd drops privilege and then cannot gain it again.
> Strace output:
> open(/etc/ldap/keys/cacert.pem", O_RDONLY) = 5
> .....
> mmap(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4fdf5c000
> getuid()                                = 8299
> mlock(0x7fb4fdf5c000, 32768)            = 0
> geteuid()                               = 0
> setuid(8299)                            = 0
> getuid()                                = 8299
> geteuid()                               = 8299
> setuid(0)                               = -1 EPERM (Operation not permitted)
> 
> ....
> open("/etc/.pwd.lock", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = -1 EACCES (Permission
>  denied)
> 
> 
> /etc/pam.d/common-passwd contains just these two lines:
> password      required pam_unix.so nullok obscure sha512
> password        sufficient      pam_ldap.so

Thank you Peter for investigating.

This needs to be fixed by libpam-ldap or libgcrypt

Best Regards,
-- 
Nekral