[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8080) nssov allows users to change anyone's password

On Mon, Mar 16, 2015 at 05:44:50PM +0000, hyc@symas.com wrote:
>> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch
>I think this patch is a bit off; it prevents root from supplying the 
>old pwd. (Which it must do if changing its own.)

I don't follow, sorry. If root is the pwdmgr, then the current code 
already omits the old password, even if the request includes it, and 
passwd_extop() seems to be fine with that. And if root auths as a DN 
different from the pwdmgr DN, then it's a normal self-change and the old 
password is checked. Did I get some part of that wrong?

You could argue that we should always check the old password if 
provided, even when working as pwdmgr. I would agree with that. It's not 
what the current code does, though.

And on my systems at least, passwd running as root never asks for the 
current password, even when changing root's own password. (Of course 
that might be different elsewhere.)