[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8080) nssov allows users to change anyone's password

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8080) nssov allows users to change anyone's password
From: hyc@symas.com
Date: Wed, 18 Mar 2015 20:35:13 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Ryan Tandy wrote:
> On Mon, Mar 16, 2015 at 05:44:50PM +0000, hyc@symas.com wrote:
>>> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch
>>>
>>
>> I think this patch is a bit off; it prevents root from supplying the
>> old pwd. (Which it must do if changing its own.)
>
> I don't follow, sorry. If root is the pwdmgr, then the current code
> already omits the old password, even if the request includes it, and
> passwd_extop() seems to be fine with that.

True.

> And if root auths as a DN
> different from the pwdmgr DN, then it's a normal self-change and the old
> password is checked. Did I get some part of that wrong?
>
> You could argue that we should always check the old password if
> provided, even when working as pwdmgr. I would agree with that. It's not
> what the current code does, though.

Right, I think if we're in here anyway we should fix that.

> And on my systems at least, passwd running as root never asks for the
> current password, even when changing root's own password. (Of course
> that might be different elsewhere.)

Admittedly, it's been a long time since I've changed a root password, since I just use ssh keys most of the time.
  
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8062) Assertion 'IS_LEAF(mp)' failed in mdb_cursor_next()
Next by Date: Re: (ITS#8081) syncprov crash in syncprov_op_mod
Index(es):
- Chronological
- Thread