Re: Change password as root

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Thu, 2010-05-27 at 19:59 +0100, Mark Olliver wrote:
> My problem is that currently using libnss_ldap libpam_ldap the passwd
> program will change passwords of users without prompting for their
> password. This is needed as we allow not only admins to change
> passwords. We also allow admins of our customer via a sudo privilege
> to change passwords of users whom they control via group memberships.
> We can not be giving out the admin main password for this task nor can
> we be responsible for resetting passwords of all our client companies.
> 
> Do you have any other ideas which may help?

Attached is a patch (against SVN r1135) that implements a rootpwmodpw
option for nslcd. With this it is possible for root to change another
user's password without a prompt for the LDAP administrator password.

I believe the patch is secure against spoofing because:
 * the nslcd daemon only accepts password modification using rootpwmodpw
   if the caller is root [1]
 * the PAM module only tries to do passwordless password change if the
   real user id is root

I would welcome feedback on whether the above assumptions are correct
and whether they are correctly implemented in the patch. Testing and
feedback is more than welcome. With enough feedback, this will probably
land in the next release.

[1] This relies on information provided by compat/getpeercred.c. That
    code is very platform dependant and may not work on all platforms.
    Also, it is not always clear whether the effective or real user id
    is returned.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

Attachment: rootpwmodpw.patch
Description: Text Data

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users