[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8080) nssov allows users to change anyone's password

Thanks for the report.

> I also noticed that pwmod always bails out if no pwdmgr dn is configured, even
> if it shouldn't be needed (ie. user changing own password).
> The following patches solve these problems by requiring the old password to be
> supplied unless working as pwdmgr; by only allowing root to authc or pwmod as
> pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check
> if it's not configured.
> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch

I think this patch is a bit off; it prevents root from supplying the old pwd. (Which it must do if changing its own.)

> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-only-allow-root-to-become-pwdmgr.patch
> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-allow-user-pwmod-without-pwdmgr-configured.patch

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/