Re: Change password as root

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Alexander V. Chernikov" <melifaro [at] ipfw.ru>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Change password as root
Date: Sun, 04 Jul 2010 22:22:10 +0400

Arthur de Jong wrote:
> On Thu, 2010-05-27 at 19:59 +0100, Mark Olliver wrote:
>> My problem is that currently using libnss_ldap libpam_ldap the passwd
>> program will change passwords of users without prompting for their
>> password. This is needed as we allow not only admins to change
>> passwords. We also allow admins of our customer via a sudo privilege
>> to change passwords of users whom they control via group memberships.
>> We can not be giving out the admin main password for this task nor can
>> we be responsible for resetting passwords of all our client companies.
>>
>> Do you have any other ideas which may help?
> 
> Attached is a patch (against SVN r1135) that implements a rootpwmodpw
> option for nslcd. With this it is possible for root to change another
> user's password without a prompt for the LDAP administrator password.
nslcd(8) should die if nslcd.conf contains rootpwmodpw and file is
world-readable.

> 
> I believe the patch is secure against spoofing because:
>  * the nslcd daemon only accepts password modification using rootpwmodpw
>    if the caller is root [1]
>  * the PAM module only tries to do passwordless password change if the
>    real user id is root
> 
> I would welcome feedback on whether the above assumptions are correct
> and whether they are correctly implemented in the patch. Testing and
> feedback is more than welcome. With enough feedback, this will probably
> land in the next release.
> 
> [1] This relies on information provided by compat/getpeercred.c. That
>     code is very platform dependant and may not work on all platforms.
>     Also, it is not always clear whether the effective or real user id
>     is returned.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> To unsubscribe send an email to
> nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
> http://lists.arthurdejong.org/nss-pam-ldapd-users

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

Re: Change password as root, (continued)
- Re: Change password as root, Arthur de Jong
  - Re: Change password as root, Mark Olliver
    - Re: Change password as root, ROGERIO DE CARVALHO BASTOS
    - Re: Change password as root, Arthur de Jong
      - Re: Change password as root, Alexander V. Chernikov

Prev by Date: Re: sshd/pam access for users in ldap - "Access denied for this service"
Next by Date: Re: Change password as root
Previous by thread: Re: Change password as root
Next by thread: Re: Change password as root