[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8080) nssov allows users to change anyone's password
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8080) nssov allows users to change anyone's password
- From: hyc@symas.com
- Date: Wed, 18 Mar 2015 20:35:13 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Ryan Tandy wrote:
> On Mon, Mar 16, 2015 at 05:44:50PM +0000, hyc@symas.com wrote:
>>> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch
>>>
>>
>> I think this patch is a bit off; it prevents root from supplying the
>> old pwd. (Which it must do if changing its own.)
>
> I don't follow, sorry. If root is the pwdmgr, then the current code
> already omits the old password, even if the request includes it, and
> passwd_extop() seems to be fine with that.
True.
> And if root auths as a DN
> different from the pwdmgr DN, then it's a normal self-change and the old
> password is checked. Did I get some part of that wrong?
>
> You could argue that we should always check the old password if
> provided, even when working as pwdmgr. I would agree with that. It's not
> what the current code does, though.
Right, I think if we're in here anyway we should fix that.
> And on my systems at least, passwd running as root never asks for the
> current password, even when changing root's own password. (Of course
> that might be different elsewhere.)
Admittedly, it's been a long time since I've changed a root password, since I just use ssh keys most of the time.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/