From db740a48d4eb978a56f6871d8879eb432a1f3375 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Fri, 3 Dec 2004 09:43:10 +0000
Subject: Relevant BUGIDs: Red Hat bz 139539

Purpose of commit: bugfix

Commit summary:
---------------
Rearrange conditions in pam_unix_acct to make it more reliable with large
values of expiration times.
---
 modules/pam_unix/pam_unix_acct.c | 34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 01925eaf..02e07ba6 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -146,18 +146,6 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 		D(("account expired"));
 		return PAM_ACCT_EXPIRED;
 	}
-	if ((curdays > (spent->sp_lstchg + spent->sp_max + spent->sp_inact))
-	    && (spent->sp_max != -1) && (spent->sp_inact != -1)
-	    && (spent->sp_lstchg != 0)) {
-		_log_err(LOG_NOTICE, pamh
-		    ,"account %s has expired (failed to change password)"
-			 ,uname);
-		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
-			    "Your account has expired; please contact your system administrator");
-		D(("account expired 2"));
-		return PAM_ACCT_EXPIRED;
-	}
-	D(("when was the last change"));
 	if (spent->sp_lstchg == 0) {
 		_log_err(LOG_NOTICE, pamh
 			 ,"expired password for user %s (root enforced)"
@@ -167,7 +155,25 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 		D(("need a new password"));
 		return PAM_NEW_AUTHTOK_REQD;
 	}
-	if (((spent->sp_lstchg + spent->sp_max) < curdays) && (spent->sp_max != -1)) {
+	if (curdays < spent->sp_lstchg) {
+		_log_err(LOG_DEBUG, pamh
+			 ,"account %s has password changed in future"
+			 ,uname);
+		return PAM_SUCCESS;
+	}
+	if ((curdays - spent->sp_lstchg > spent->sp_max)
+	    && (curdays - spent->sp_lstchg > spent->sp_inact)
+	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
+	    && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
+		_log_err(LOG_NOTICE, pamh
+		    ,"account %s has expired (failed to change password)"
+			 ,uname);
+		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
+			    "Your account has expired; please contact your system administrator");
+		D(("account expired 2"));
+		return PAM_ACCT_EXPIRED;
+	}
+	if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) {
 		_log_err(LOG_DEBUG, pamh
 			 ,"expired password for user %s (password aged)"
 			 ,uname);
@@ -176,7 +182,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 		D(("need a new password 2"));
 		return PAM_NEW_AUTHTOK_REQD;
 	}
-	if ((curdays > (spent->sp_lstchg + spent->sp_max - spent->sp_warn))
+	if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn)
 	    && (spent->sp_max != -1) && (spent->sp_warn != -1)) {
 		daysleft = (spent->sp_lstchg + spent->sp_max) - curdays;
 		_log_err(LOG_DEBUG, pamh
-- 
cgit v1.2.3