Relevant BUGIDs: 1245888

Purpose of commit: bugfix

Commit summary:
---------------
        * modules/pam_unix/pam_unix_passwd.c (_unix_verify_shadow): Change the
        logic when comparing dates to handle corner cases better [#1245888].

1 files changed, 14 insertions, 3 deletions

diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 727f3b3b..f433ab2c 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -923,10 +923,21 @@ static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned in
 		if (off(UNIX__IAMROOT, ctrl)) {
 			/* Get the current number of days since 1970 */
 			curdays = time(NULL) / (60 * 60 * 24);
-			if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min))
-			    && (spwdent->sp_min != -1))
+			if (curdays < spent->sp_lstchg) {
+				pam_syslog(pamh, LOG_DEBUG,
+					"account %s has password changed in future",
+					uname);
+				curdays = spent->sp_lstchg;
+			}
+			if ((curdays - spwdent->sp_lstchg < spwdent->sp_min)
+				 && (spwdent->sp_min != -1))
+				/*
+				 * The last password change was too recent.
+				 */
 				retval = PAM_AUTHTOK_ERR;
-			else if ((curdays > (spwdent->sp_lstchg + spwdent->sp_max + spwdent->sp_inact))
+			else if ((curdays - spent->sp_lstchg > spent->sp_max)
+				 && (curdays - spent->sp_lstchg > spent->sp_inact)
+				 && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
 				 && (spwdent->sp_max != -1) && (spwdent->sp_inact != -1)
 				 && (spwdent->sp_lstchg != 0))
 				/*