From owner-freebsd-bugs@FreeBSD.ORG Mon May 24 15:20:35 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 775D616A4CE for ; Mon, 24 May 2004 15:20:35 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 589EF43D41 for ; Mon, 24 May 2004 15:20:35 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i4OMKHWu010284 for ; Mon, 24 May 2004 15:20:17 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i4OMKGL3010271; Mon, 24 May 2004 15:20:16 -0700 (PDT) (envelope-from gnats) Resent-Date: Mon, 24 May 2004 15:20:16 -0700 (PDT) Resent-Message-Id: <200405242220.i4OMKGL3010271@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Russell Cloran Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A567516A4CE for ; Mon, 24 May 2004 15:11:04 -0700 (PDT) Received: from server.rucus.ru.ac.za (server.rucus.ru.ac.za [146.231.115.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 11E5443D2F for ; Mon, 24 May 2004 15:11:01 -0700 (PDT) (envelope-from russell@rucus.ru.ac.za) Received: (qmail 85343 invoked from network); 24 May 2004 22:10:59 -0000 Received: from shell-em0.rucus.ru.ac.za (russell@10.0.0.1) by server-em0.rucus.ru.ac.za with QMQP; 24 May 2004 22:10:59 -0000 Message-Id: <20040524221059.19806.qmail@shell.rucus.ru.ac.za> Date: 24 May 2004 22:10:59 -0000 From: Russell Cloran To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: sysadmin@rucus.ru.ac.za Subject: bin/67142: rpc.yppasswdd incorrectly throws errors about invalid shells with -s X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Russell Cloran List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 22:20:35 -0000 >Number: 67142 >Category: bin >Synopsis: rpc.yppasswdd incorrectly throws errors about invalid shells with -s >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon May 24 15:20:16 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Russell Cloran >Release: FreeBSD 5.1-RELEASE-p13 i386 >Organization: RUCUS >Environment: System: FreeBSD shell.rucus.ru.ac.za 5.1-RELEASE-p13 FreeBSD 5.1-RELEASE-p13 #3: Thu Feb 5 21:18:42 SAST 2004 drs@shell.rucus.ru.ac.za:/usr/obj/usr/src/sys/SHELL i386 This problem still exists on FreeBSD 5.2-CURRENT, as far as I can see. Although I have not looked at the code, I believe that this problem did not (does not) exist in FreeBSD 4.X (ICBW). >Description: The rpc.yppasswdd has an option to not allow shell changes (-s), but is always passed a shell by the remote yppasswd. If an NIS client overrides the shell provided by the ypserv, then yppasswd (pam_unix, actually, afaict) will pass this new shell to the yppasswdd. If this shell has been set on the client to a shell which is invalid on the server, a user will never be able to change their password on the client. It seems that the following thread on freebsd-questions is evidence of this problem: http://www.freebsd.org/cgi/getmsg.cgi?fetch=1145286+1148268+/usr/local/www/db/text/2004/freebsd-questions/20040425.freebsd-questions >How-To-Repeat: With client passwd file containing something like +:*:::::/sbin/nologin and "/sbin/nologin" not in the server's /etc/shells, an attempt to use passwd(1) causes the following error, as shown in the system logs: May 24 14:53:39 shell rpc.yppasswdd[62598]: /sbin/nologin is not a valid shell May 24 14:53:39 shell rpc.yppasswdd[62598]: rejecting change attempt: bad arguments May 24 14:53:39 shell rpc.yppasswdd[62598]: client address: 10.0.0.2 username: russell on the NIS client side, error output might look something like, passwd: pam_chauthtok(): error in service module and something like the following in the syslog, May 25 00:05:19 server passwd: in pam_sm_chauthtok(): yppasswd_remote(): NIS password update failed: shell.rucus.ru.ac.za: RPC: Server can't decode arguments ("server" is our NIS client) >Fix: The following patch causes invalid shells not to be rejected if the shell is not going to be changed anyways: --- yppasswdd_server.c.orig Sun Jun 15 23:24:45 2003 +++ yppasswdd_server.c Mon May 24 23:42:47 2004 @@ -196,12 +196,12 @@ * Don't allow the user to shoot himself in the foot, * even on purpose. */ - if (!ok_shell(npw->pw_shell)) { + if (!no_chsh && !ok_shell(npw->pw_shell)) { yp_error("%s is not a valid shell", npw->pw_shell); return(1); } - if (validchars(npw->pw_shell)) { + if (!no_chsh && validchars(npw->pw_shell)) { yp_error("specified shell contains invalid characters"); return(1); } >Release-Note: >Audit-Trail: >Unformatted: