From owner-freebsd-current Sun Jan 20 11:17:21 2002 Delivered-To: freebsd-current@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id C495F37B402; Sun, 20 Jan 2002 11:17:15 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id g0KJHEj23722; Sun, 20 Jan 2002 22:17:14 +0300 (MSK) (envelope-from ache) Date: Sun, 20 Jan 2002 22:17:12 +0300 From: "Andrey A. Chernov" To: markm@freebsd.org, des@freebsd.org, current@freebsd.org Subject: Step2, pam_unix just expired pass fix for review Message-ID: <20020120191711.GA23576@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.24i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Bug: There is possible when pam_sm_acct_mgmt() called, password is not expired, but due to some delay between calls (like network delays for NIS passwords), expired at the moment of pam_sm_authenticate() check. It may allow user to enter with expired password under some circumstanes when he is not allowed to do it. Fix: Use traditional Unix check (like found in pre-PAM ftpd.c and login.c) for password expiration at the last moment, i.e. right after checking that it is valid. --- pam_unix.c.bak1 Sun Jan 20 21:42:47 2002 +++ pam_unix.c Sun Jan 20 21:58:45 2002 @@ -152,6 +152,8 @@ retval = strcmp(encrypted, pwd->pw_passwd) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; + if (pwd->pw_expire && time(NULL) >= pwd->pw_expire) + retval = PAM_AUTH_ERR; } else { -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message