[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8080) nssov allows users to change anyone's password

Full_Name: Ryan Tandy
Version: 2.4
OS: Debian
Submission from: (NULL) (

If I write to the socket, un-base64ed:


(pwmod action, uid 'rtandy', dn 'uid=rtandy,dc=example,dc=com', service
'passwd', opw '', npw 'asdf'90D

nssov will change rtandy's password, assuming ACLS permit userPassword mods by

Furthermore, if I set nssov-pwdmgr-dn to 'cn=pwdmgr,dc=example,dc=com' and then
write to the socket, un-base64ed:


(pwmod action, uid 'rtandy', dn 'cn=pwdmgr,dc=example,dc=com', service 'passwd',
opw '', npw 'asdf')

then rtandy's password will be changed using pwdmgr privileges. IMO only root
should be allowed to do this, not unprivileged users. (passwd(1) enforces the
same rule.)

I also noticed that pwmod always bails out if no pwdmgr dn is configured, even
if it shouldn't be needed (ie. user changing own password).

The following patches solve these problems by requiring the old password to be
supplied unless working as pwdmgr; by only allowing root to authc or pwmod as
pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check
if it's not configured.