Date: Thu, 31 Aug 2000 03:10:05 -0700 (PDT) From: Dima Dorfman <dima@unixfreak.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/20952: ftpd doesn't honor account expiration time Message-ID: <200008311010.DAA48238@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/20952; it has been noted by GNATS.
From: Dima Dorfman <dima@unixfreak.org>
To: wmd@clearLearning.com
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/20952: ftpd doesn't honor account expiration time
Date: Thu, 31 Aug 2000 03:06:03 -0700 (PDT)
> >Description:
> If a login account has an expiration date associated with it and
> that date passes, ftpd still allows login.
> >How-To-Repeat:
> Change the expiration date on an account with pw(1) and you'll
> still be able to login via FTP.
> >Fix:
> I would assume that FTPd should check the expiration date of an
> account as part of its security checks.
The problem occurs only when PAM authentication is used. The ftpd
assumes that PAM will check the account expire date for it. In the
pam_unix module, there's even a function, pam_sm_acct_mgmt(), that
does it, however, I can't find if it's ever called.
The patch below moves the expire date check to a place where it's run
even if PAM said everything's okay. I don't know if this is a bug in
PAM or ftpd, but login(1) checks the expire date after PAM as well, so
I'm assuming it's okay to do it this way.
This patch was made against 4.1-STABLE as of 2000/08/29. I don't know
if it will apply cleanly against a 4.0 system.
~~~~ start diff
Index: ftpd.c
===================================================================
RCS file: /stage/cvs/FreeBSD/src/libexec/ftpd/ftpd.c,v
retrieving revision 1.62.2.4
diff -u -r1.62.2.4 ftpd.c
--- ftpd.c 2000/08/17 12:33:12 1.62.2.4
+++ ftpd.c 2000/08/31 09:47:19
@@ -1194,10 +1194,13 @@
rval = strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd);
#endif
/* The strcmp does not catch null passwords! */
- if (*pw->pw_passwd == '\0' ||
- (pw->pw_expire && time(NULL) >= pw->pw_expire))
+ if (*pw->pw_passwd == '\0')
rval = 1; /* failure */
skip:
+ /* PAM doesn't check if the account expired like it should. */
+ if (pw->pw_expire && time(NULL) >= pw->pw_expire)
+ rval = 1; /* failure */
+
/*
* If rval == 1, the user failed the authentication check
* above. If rval == 0, either PAM or local authentication
~~~~ end diff
Hope this helps
--
Dima Dorfman <dima@unixfreak.org>
Finger dima@unixfreak.org for my public PGP key.
"Love is the triumph of imagination over intelligence."
-- Henry Louis Mencken
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008311010.DAA48238>