diff options
| -rw-r--r-- | debian/NEWS | 19 | ||||
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/patches-applied/007_modules_pam_unix | 42 |
3 files changed, 24 insertions, 42 deletions
diff --git a/debian/NEWS b/debian/NEWS index f644dc45..327df1ac 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -9,6 +9,25 @@ pam (1.1.0-1) unstable; urgency=low The pam_unix module still does its own check of /etc/security/opasswd, so if you are using this module you should not need to change anything. + * Change in handling of /etc/shadow fields + + The Debian PAM package included a patch to treat a value of 0 in certain + fields in /etc/shadow as the same as an empty field. This patch has + been dropped, since it caused the behavior of pam_unix to differ from + both that of PAM upstream and that of the shadow package. + + The main consequences of this change are that: + + - a "0" in the sp_expire field will be treated as a date of Jan 1, 1970 + instead of a "never expires" value, so users with this set will be + unable to log in + + - a "0" in the sp_inact field will indicate that the user should not be + allowed to change an expired password at all, instead of being allowed + to change an expired at any time after the expiry. + + See Debian bug #308229 for more information about this change. + -- Steve Langasek <vorlon@debian.org> Tue, 25 Aug 2009 00:13:57 -0700 pam (0.99.10.0-1) unstable; urgency=low diff --git a/debian/changelog b/debian/changelog index a0997f8e..7b752138 100644 --- a/debian/changelog +++ b/debian/changelog @@ -17,6 +17,11 @@ pam (1.1.0-1) UNRELEASED; urgency=low symbols. * Add /sbin/mkhomedir_helper to libpam-modules. * Document that pam_cracklib no longer checks /etc/security/opasswd. + * debian/patches/007_modules_pam_unix: drop divergence from upstream + that treats "0" as a special value in various fields in /etc/shadow, + and document this in debian/NEWS. Thanks to Nicolas François + <nicolas.francois@centraliens.net> for the detailed analysis. + Closes: #308229. -- Steve Langasek <vorlon@debian.org> Mon, 24 Aug 2009 01:23:18 -0700 diff --git a/debian/patches-applied/007_modules_pam_unix b/debian/patches-applied/007_modules_pam_unix index 3a8446c7..8eedeaea 100644 --- a/debian/patches-applied/007_modules_pam_unix +++ b/debian/patches-applied/007_modules_pam_unix @@ -598,48 +598,6 @@ Index: pam.deb/modules/pam_unix/pam_unix_sess.c retval = pam_get_item(pamh, PAM_USER, (void *) &user_name); if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) { -Index: pam.deb/modules/pam_unix/passverify.c -=================================================================== ---- pam.deb.orig/modules/pam_unix/passverify.c -+++ pam.deb/modules/pam_unix/passverify.c -@@ -240,7 +240,9 @@ - *daysleft = -1; - curdays = (long int)(time(NULL) / (60 * 60 * 24)); - D(("today is %d, last change %d", curdays, spent->sp_lstchg)); -- if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) { -+ if ((curdays > spent->sp_expire) && (spent->sp_expire != -1) -+ && (spent->sp_expire != 0)) -+ { - D(("account expired")); - return PAM_ACCT_EXPIRED; - } -@@ -258,17 +260,23 @@ - if ((curdays - spent->sp_lstchg > spent->sp_max) - && (curdays - spent->sp_lstchg > spent->sp_inact) - && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) -- && (spent->sp_max != -1) && (spent->sp_inact != -1)) { -+ && (spent->sp_max != -1) && (spent->sp_max != 0) -+ && (spent->sp_inact != -1) && (spent->sp_inact != 0)) -+ { - *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); - D(("authtok expired")); - return PAM_AUTHTOK_EXPIRED; - } -- if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) { -+ if ((curdays - spent->sp_lstchg > spent->sp_max) -+ && (spent->sp_max != -1) && (spent->sp_max != 0)) -+ { - D(("need a new password 2")); - return PAM_NEW_AUTHTOK_REQD; - } - if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn) -- && (spent->sp_max != -1) && (spent->sp_warn != -1)) { -+ && (spent->sp_max != -1) && (spent->sp_warn != -1) -+ && (spent->sp_max != 0) && (spent->sp_warn != 0)) -+ { - *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); - D(("warn before expiry")); - } Index: pam.deb/modules/pam_unix/pam_unix.8 =================================================================== --- pam.deb.orig/modules/pam_unix/pam_unix.8 |