summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2009-08-25 01:17:34 -0700
committerSteve Langasek <vorlon@debian.org>2019-01-08 21:25:56 -0800
commita852177c4fde4f21ca20abba1ca8d9db06824102 (patch)
tree8231cb0fd1f73de3bb882f00db50217ed4126dd0
parentf0a0a0150498209b9363ed088e1c6809a097d8f5 (diff)
debian/patches/007_modules_pam_unix: drop divergence from upstream
that treats "0" as a special value in various fields in /etc/shadow, and document this in debian/NEWS. Thanks to Nicolas Fran├žois <nicolas.francois@centraliens.net> for the detailed analysis. Closes: #308229.
-rw-r--r--debian/NEWS19
-rw-r--r--debian/changelog5
-rw-r--r--debian/patches-applied/007_modules_pam_unix42
3 files changed, 24 insertions, 42 deletions
diff --git a/debian/NEWS b/debian/NEWS
index f644dc45..327df1ac 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -9,6 +9,25 @@ pam (1.1.0-1) unstable; urgency=low
The pam_unix module still does its own check of /etc/security/opasswd,
so if you are using this module you should not need to change anything.
+ * Change in handling of /etc/shadow fields
+
+ The Debian PAM package included a patch to treat a value of 0 in certain
+ fields in /etc/shadow as the same as an empty field. This patch has
+ been dropped, since it caused the behavior of pam_unix to differ from
+ both that of PAM upstream and that of the shadow package.
+
+ The main consequences of this change are that:
+
+ - a "0" in the sp_expire field will be treated as a date of Jan 1, 1970
+ instead of a "never expires" value, so users with this set will be
+ unable to log in
+
+ - a "0" in the sp_inact field will indicate that the user should not be
+ allowed to change an expired password at all, instead of being allowed
+ to change an expired at any time after the expiry.
+
+ See Debian bug #308229 for more information about this change.
+
-- Steve Langasek <vorlon@debian.org> Tue, 25 Aug 2009 00:13:57 -0700
pam (0.99.10.0-1) unstable; urgency=low
diff --git a/debian/changelog b/debian/changelog
index a0997f8e..7b752138 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,11 @@ pam (1.1.0-1) UNRELEASED; urgency=low
symbols.
* Add /sbin/mkhomedir_helper to libpam-modules.
* Document that pam_cracklib no longer checks /etc/security/opasswd.
+ * debian/patches/007_modules_pam_unix: drop divergence from upstream
+ that treats "0" as a special value in various fields in /etc/shadow,
+ and document this in debian/NEWS. Thanks to Nicolas Fran├žois
+ <nicolas.francois@centraliens.net> for the detailed analysis.
+ Closes: #308229.
-- Steve Langasek <vorlon@debian.org> Mon, 24 Aug 2009 01:23:18 -0700
diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix
index 3a8446c7..8eedeaea 100644
--- a/debian/patches-applied/007_modules_pam_unix
+++ b/debian/patches-applied/007_modules_pam_unix
@@ -598,48 +598,6 @@ Index: pam.deb/modules/pam_unix/pam_unix_sess.c
retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
-Index: pam.deb/modules/pam_unix/passverify.c
-===================================================================
---- pam.deb.orig/modules/pam_unix/passverify.c
-+++ pam.deb/modules/pam_unix/passverify.c
-@@ -240,7 +240,9 @@
- *daysleft = -1;
- curdays = (long int)(time(NULL) / (60 * 60 * 24));
- D(("today is %d, last change %d", curdays, spent->sp_lstchg));
-- if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) {
-+ if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)
-+ && (spent->sp_expire != 0))
-+ {
- D(("account expired"));
- return PAM_ACCT_EXPIRED;
- }
-@@ -258,17 +260,23 @@
- if ((curdays - spent->sp_lstchg > spent->sp_max)
- && (curdays - spent->sp_lstchg > spent->sp_inact)
- && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
-- && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
-+ && (spent->sp_max != -1) && (spent->sp_max != 0)
-+ && (spent->sp_inact != -1) && (spent->sp_inact != 0))
-+ {
- *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
- D(("authtok expired"));
- return PAM_AUTHTOK_EXPIRED;
- }
-- if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) {
-+ if ((curdays - spent->sp_lstchg > spent->sp_max)
-+ && (spent->sp_max != -1) && (spent->sp_max != 0))
-+ {
- D(("need a new password 2"));
- return PAM_NEW_AUTHTOK_REQD;
- }
- if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn)
-- && (spent->sp_max != -1) && (spent->sp_warn != -1)) {
-+ && (spent->sp_max != -1) && (spent->sp_warn != -1)
-+ && (spent->sp_max != 0) && (spent->sp_warn != 0))
-+ {
- *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
- D(("warn before expiry"));
- }
Index: pam.deb/modules/pam_unix/pam_unix.8
===================================================================
--- pam.deb.orig/modules/pam_unix/pam_unix.8