reassign 514437 libpam-modules
tags 514437 security
thanks
Hello,
On Sat, Feb 07, 2009 at 04:37:10PM +0100, lienesch....@ewetel.net wrote:
>
> After typing e.g.
>
> chage -m 10000 <user>
>
> as root the user is still allowed to change his password.
>
> The MINDAYS-Field in /etc/shadow shows the correct value after the command
> above
> but it has no effect.
Thanks for reporting this.
Looking at the PAM sources (greping for sp_min), it seems that PAM does
not use this field anymore.
I had a look at PAM 0.79, and this was one check in _unix_verify_shadow,
called from pam_sm_chauthtok.
if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min))
&& (spwdent->sp_min != -1))
retval = PAM_AUTHTOK_ERR;
pam_sm_chauthtok still calls _unix_verify_shadow.
_unix_verify_shadow calls _unix_run_verify_binary and check_shadow_expiry
but those are used by pam_sm_acct_mgmt so the above check cannot be added
there.
I did not change the severity of the bug, but I wonder if it should not be
considered for Lenny.
sp_min is part of the security policy for passwords (it can be used to
forbid users changing their password immediately back to the previous
password).
Best Regards,
--
Nekral
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
