[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8080) nssov allows users to change anyone's password
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8080) nssov allows users to change anyone's password
- From: ryan@nardis.ca
- Date: Mon, 16 Mar 2015 18:59:08 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
On Mon, Mar 16, 2015 at 05:44:50PM +0000, hyc@symas.com wrote:
>> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch
>
>I think this patch is a bit off; it prevents root from supplying the
>old pwd. (Which it must do if changing its own.)
I don't follow, sorry. If root is the pwdmgr, then the current code
already omits the old password, even if the request includes it, and
passwd_extop() seems to be fine with that. And if root auths as a DN
different from the pwdmgr DN, then it's a normal self-change and the old
password is checked. Did I get some part of that wrong?
You could argue that we should always check the old password if
provided, even when working as pwdmgr. I would agree with that. It's not
what the current code does, though.
And on my systems at least, passwd running as root never asks for the
current password, even when changing root's own password. (Of course
that might be different elsewhere.)