5b6ef5fcbd
- fix CVE-2009-0579 (mininimum days for password change ignored) (#487216) - pam_access: improve handling of hostname resolution
43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
Index: modules/pam_unix/pam_unix_acct.c
|
|
===================================================================
|
|
RCS file: /cvsroot/pam/Linux-PAM/modules/pam_unix/pam_unix_acct.c,v
|
|
retrieving revision 1.24
|
|
diff -u -r1.24 pam_unix_acct.c
|
|
--- modules/pam_unix/pam_unix_acct.c 11 Jul 2008 15:29:00 -0000 1.24
|
|
+++ modules/pam_unix/pam_unix_acct.c 24 Feb 2009 09:57:31 -0000
|
|
@@ -249,6 +249,9 @@
|
|
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
|
|
_("Your account has expired; please contact your system administrator"));
|
|
break;
|
|
+ case PAM_AUTHTOK_ERR:
|
|
+ retval = PAM_SUCCESS;
|
|
+ /* fallthrough */
|
|
case PAM_SUCCESS:
|
|
if (daysleft >= 0) {
|
|
pam_syslog(pamh, LOG_DEBUG,
|
|
Index: modules/pam_unix/passverify.c
|
|
===================================================================
|
|
RCS file: /cvsroot/pam/Linux-PAM/modules/pam_unix/passverify.c,v
|
|
retrieving revision 1.8
|
|
diff -u -r1.8 passverify.c
|
|
--- modules/pam_unix/passverify.c 1 Dec 2008 12:40:41 -0000 1.8
|
|
+++ modules/pam_unix/passverify.c 24 Feb 2009 09:57:32 -0000
|
|
@@ -272,8 +272,16 @@
|
|
*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
|
|
D(("warn before expiry"));
|
|
}
|
|
+ if ((curdays - spent->sp_lstchg < spent->sp_min)
|
|
+ && (spent->sp_min != -1)) {
|
|
+ /*
|
|
+ * The last password change was too recent. This error will be ignored
|
|
+ * if no password change is attempted.
|
|
+ */
|
|
+ D(("password change too recent"));
|
|
+ return PAM_AUTHTOK_ERR;
|
|
+ }
|
|
return PAM_SUCCESS;
|
|
-
|
|
}
|
|
|
|
/* passwd/salt conversion macros */
|