From owner-freebsd-bugs Thu Aug 31 3:10: 8 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 6F60037B42C for ; Thu, 31 Aug 2000 03:10:05 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id DAA48238; Thu, 31 Aug 2000 03:10:05 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Thu, 31 Aug 2000 03:10:05 -0700 (PDT) Message-Id: <200008311010.DAA48238@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Dima Dorfman Subject: Re: bin/20952: ftpd doesn't honor account expiration time Reply-To: Dima Dorfman Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/20952; it has been noted by GNATS. From: Dima Dorfman To: wmd@clearLearning.com Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/20952: ftpd doesn't honor account expiration time Date: Thu, 31 Aug 2000 03:06:03 -0700 (PDT) > >Description: > If a login account has an expiration date associated with it and > that date passes, ftpd still allows login. > >How-To-Repeat: > Change the expiration date on an account with pw(1) and you'll > still be able to login via FTP. > >Fix: > I would assume that FTPd should check the expiration date of an > account as part of its security checks. The problem occurs only when PAM authentication is used. The ftpd assumes that PAM will check the account expire date for it. In the pam_unix module, there's even a function, pam_sm_acct_mgmt(), that does it, however, I can't find if it's ever called. The patch below moves the expire date check to a place where it's run even if PAM said everything's okay. I don't know if this is a bug in PAM or ftpd, but login(1) checks the expire date after PAM as well, so I'm assuming it's okay to do it this way. This patch was made against 4.1-STABLE as of 2000/08/29. I don't know if it will apply cleanly against a 4.0 system. ~~~~ start diff Index: ftpd.c =================================================================== RCS file: /stage/cvs/FreeBSD/src/libexec/ftpd/ftpd.c,v retrieving revision 1.62.2.4 diff -u -r1.62.2.4 ftpd.c --- ftpd.c 2000/08/17 12:33:12 1.62.2.4 +++ ftpd.c 2000/08/31 09:47:19 @@ -1194,10 +1194,13 @@ rval = strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd); #endif /* The strcmp does not catch null passwords! */ - if (*pw->pw_passwd == '\0' || - (pw->pw_expire && time(NULL) >= pw->pw_expire)) + if (*pw->pw_passwd == '\0') rval = 1; /* failure */ skip: + /* PAM doesn't check if the account expired like it should. */ + if (pw->pw_expire && time(NULL) >= pw->pw_expire) + rval = 1; /* failure */ + /* * If rval == 1, the user failed the authentication check * above. If rval == 0, either PAM or local authentication ~~~~ end diff Hope this helps -- Dima Dorfman Finger dima@unixfreak.org for my public PGP key. "Love is the triumph of imagination over intelligence." -- Henry Louis Mencken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message