[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8080) nssov allows users to change anyone's password

Ryan Tandy wrote:
> On Mon, Mar 16, 2015 at 05:44:50PM +0000, hyc@symas.com wrote:
>>> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch
>> I think this patch is a bit off; it prevents root from supplying the
>> old pwd. (Which it must do if changing its own.)
> I don't follow, sorry. If root is the pwdmgr, then the current code
> already omits the old password, even if the request includes it, and
> passwd_extop() seems to be fine with that.


> And if root auths as a DN
> different from the pwdmgr DN, then it's a normal self-change and the old
> password is checked. Did I get some part of that wrong?
> You could argue that we should always check the old password if
> provided, even when working as pwdmgr. I would agree with that. It's not
> what the current code does, though.

Right, I think if we're in here anyway we should fix that.

> And on my systems at least, passwd running as root never asks for the
> current password, even when changing root's own password. (Of course
> that might be different elsewhere.)

Admittedly, it's been a long time since I've changed a root password, since I just use ssh keys most of the time.
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/