summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2009-02-26 18:56:12 +0000
committerTomas Mraz <tm@t8m.info>2009-02-26 18:56:12 +0000
commit5891c5508e3b9ba699a6a6ba3dae9221a45528e5 (patch)
tree11f0bfce0b989303da194baff95d4655733b9dcc /modules
parentca06584b38da8c44c26da19399a1bfd802ef5ee4 (diff)
Relevant BUGIDs: debian#514437 rhbz#487216
Purpose of commit: bugfix Commit summary: --------------- 2009-02-26 Tomas Mraz <t8m@centrum.cz> * xtests/Makefile.am: Add tst-pam_unix4. * xtests/tst-pam_unix4.c: New test for password change and shadow min days limit. * xtests/tst-pam_unix4.pamd: Likewise. * xtests/tst-pam_unix4.sh: Likewise. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Ignore PAM_AUTHTOK_ERR on shadow verification. * modules/pam_unix/passverify.c (check_shadow_expiry): Return PAM_AUTHTOK_ERR if sp_min limit for password change is defied.
Diffstat (limited to 'modules')
-rw-r--r--modules/pam_unix/pam_unix_acct.c3
-rw-r--r--modules/pam_unix/passverify.c10
2 files changed, 12 insertions, 1 deletions
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 3a40d8d3..40ff3c06 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -249,6 +249,9 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
_("Your account has expired; please contact your system administrator"));
break;
+ case PAM_AUTHTOK_ERR:
+ retval = PAM_SUCCESS;
+ /* fallthrough */
case PAM_SUCCESS:
if (daysleft >= 0) {
pam_syslog(pamh, LOG_DEBUG,
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 281716e0..360bd90b 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -272,8 +272,16 @@ PAMH_ARG_DECL(int check_shadow_expiry,
*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
D(("warn before expiry"));
}
+ if ((curdays - spent->sp_lstchg < spent->sp_min)
+ && (spent->sp_min != -1)) {
+ /*
+ * The last password change was too recent. This error will be ignored
+ * if no password change is attempted.
+ */
+ D(("password change too recent"));
+ return PAM_AUTHTOK_ERR;
+ }
return PAM_SUCCESS;
-
}
/* passwd/salt conversion macros */