Full_Name: Ryan Tandy Version: 2.4 OS: Debian URL: Submission from: (NULL) (24.68.37.4) If I write to the socket, un-base64ed: AQAAACVOAAAGAAAAcnRhbmR5HAAAAHVpZD1ydGFuZHksZGM9ZXhhbXBsZSxkYz1jb20GAAAAcGFzc3dkAAAAAAQAAABhc2Rm (pwmod action, uid 'rtandy', dn 'uid=rtandy,dc=example,dc=com', service 'passwd', opw '', npw 'asdf'9 0D nssov will change rtandy's password, assuming ACLS permit userPassword mods by self. Furthermore, if I set nssov-pwdmgr-dn to 'cn=pwdmgr,dc=example,dc=com' and then write to the socket, un-base64ed: AQAAACVOAAAGAAAAcnRhbmR5GwAAAGNuPXB3ZG1ncixkYz1leGFtcGxlLGRjPWNvbQYAAABwYXNzd2QAAAAABAAAAGFzZGY= (pwmod action, uid 'rtandy', dn 'cn=pwdmgr,dc=example,dc=com', service 'passwd', opw '', npw 'asdf') then rtandy's password will be changed using pwdmgr privileges. IMO only root should be allowed to do this, not unprivileged users. (passwd(1) enforces the same rule.) I also noticed that pwmod always bails out if no pwdmgr dn is configured, even if it shouldn't be needed (ie. user changing own password). The following patches solve these problems by requiring the old password to be supplied unless working as pwdmgr; by only allowing root to authc or pwmod as pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check if it's not configured. ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-only-allow-root-to-become-pwdmgr.patch ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-allow-user-pwmod-without-pwdmgr-configured.patch
Thanks for the report. > I also noticed that pwmod always bails out if no pwdmgr dn is configured, even > if it shouldn't be needed (ie. user changing own password). > > The following patches solve these problems by requiring the old password to be > supplied unless working as pwdmgr; by only allowing root to authc or pwmod as > pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check > if it's not configured. > > ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch I think this patch is a bit off; it prevents root from supplying the old pwd. (Which it must do if changing its own.) > ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-only-allow-root-to-become-pwdmgr.patch > ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-allow-user-pwmod-without-pwdmgr-configured.patch -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Mon, Mar 16, 2015 at 05:44:50PM +0000, hyc@symas.com wrote: >> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch > >I think this patch is a bit off; it prevents root from supplying the >old pwd. (Which it must do if changing its own.) I don't follow, sorry. If root is the pwdmgr, then the current code already omits the old password, even if the request includes it, and passwd_extop() seems to be fine with that. And if root auths as a DN different from the pwdmgr DN, then it's a normal self-change and the old password is checked. Did I get some part of that wrong? You could argue that we should always check the old password if provided, even when working as pwdmgr. I would agree with that. It's not what the current code does, though. And on my systems at least, passwd running as root never asks for the current password, even when changing root's own password. (Of course that might be different elsewhere.)
Ryan Tandy wrote: > On Mon, Mar 16, 2015 at 05:44:50PM +0000, hyc@symas.com wrote: >>> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch >>> >> >> I think this patch is a bit off; it prevents root from supplying the >> old pwd. (Which it must do if changing its own.) > > I don't follow, sorry. If root is the pwdmgr, then the current code > already omits the old password, even if the request includes it, and > passwd_extop() seems to be fine with that. True. > And if root auths as a DN > different from the pwdmgr DN, then it's a normal self-change and the old > password is checked. Did I get some part of that wrong? > > You could argue that we should always check the old password if > provided, even when working as pwdmgr. I would agree with that. It's not > what the current code does, though. Right, I think if we're in here anyway we should fix that. > And on my systems at least, passwd running as root never asks for the > current password, even when changing root's own password. (Of course > that might be different elsewhere.) Admittedly, it's been a long time since I've changed a root password, since I just use ssh keys most of the time. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Contrib
changed notes changed state Test to Release
fixed in master fixed in RE25 fixed in RE24
changed notes changed state Release to Closed