From owner-freebsd-current  Sun Jan 20 11:50:16 2002
Delivered-To: freebsd-current@freebsd.org
Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.139.170])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3CC3E37B400; Sun, 20 Jan 2002 11:50:07 -0800 (PST)
Received: (from uucp@localhost)
	by storm.FreeBSD.org.uk (8.11.6/8.11.6) with UUCP id g0KJnbg89740;
	Sun, 20 Jan 2002 19:49:37 GMT
	(envelope-from mark@grondar.za)
Received: from grondar.za (mark@localhost [127.0.0.1])
	by grimreaper.grondar.org (8.11.6/8.11.6) with ESMTP id g0KJltt32724;
	Sun, 20 Jan 2002 19:47:56 GMT
	(envelope-from mark@grondar.za)
Message-Id: <200201201947.g0KJltt32724@grimreaper.grondar.org>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: des@freebsd.org, current@freebsd.org
Subject: Re: Step2, pam_unix just expired pass fix for review 
References: <20020120191711.GA23576@nagual.pp.ru> 
In-Reply-To: <20020120191711.GA23576@nagual.pp.ru> ; from "Andrey A. Chernov" <ache@nagual.pp.ru>  "Sun, 20 Jan 2002 22:17:12 +0300."
Date: Sun, 20 Jan 2002 19:47:55 +0000
From: Mark Murray <mark@grondar.za>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

> Bug: 
> There is possible when pam_sm_acct_mgmt() called, password is not
> expired, but due to some delay between calls (like network delays for NIS
> passwords), expired at the moment of pam_sm_authenticate() check.

It is not pam_sm_authenticate()'s job to determine such things as expiry.
This is the business of pam_sm_acct_mgmt().

> It may allow user to enter with expired password under some circumstanes 
> when he is not allowed to do it.

Do you mean that at at the very edge of password expiry, the user may
still be able log in (maybe some seconds later)? If so this is not a
credible threat.

> Fix:
> Use traditional Unix check (like found in pre-PAM ftpd.c and login.c) for 
> password expiration at the last moment, i.e. right after checking that it 
> is valid.

This fix is wrong for pam_sm_authenticate(), but valid for pam_sm_acct_mgmt().
pam_sm_acct_mgmt() already has something functionally equivalent.

M

> --- pam_unix.c.bak1	Sun Jan 20 21:42:47 2002
> +++ pam_unix.c	Sun Jan 20 21:58:45 2002
> @@ -152,6 +152,8 @@
>  
>  		retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
>  		    PAM_SUCCESS : PAM_AUTH_ERR;
> +		if (pwd->pw_expire && time(NULL) >= pwd->pw_expire)
> +			retval = PAM_AUTH_ERR;
>  	}
>  	else {
>  
> -- 
> Andrey A. Chernov
> http://ache.pp.ru/
-- 
o       Mark Murray
\_      FreeBSD Services Limited
O.\_    Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message