Comment 8 for bug 869501

On Mon, Jan 27, 2014 at 08:55:05PM +0100, Yves-Alexis Perez wrote:

> > Steve about the man page:
> > > Well, this information from the manpage authoritatively describes how the
> > > flag is meant to be used: if pam_chauthtok() is being called to request
> > > changing expired tokens, the flag is expected to be passed.

> That's not what it says:

> PAM_CHANGE_EXPIRED_AUTHTOK
> This argument indicates to the modules that the users
> authentication token (password) should only be changed if it has
> expired. If this argument is not passed, the application requires
> that all authentication tokens are to be changed.

> I'm not a native speaker, but I parse as “if it's passed, the password
> won't be changed if it has expired” and “if it's not passed, all the
> authentication tokens should be changed”. Nothing relevant to the
> superuser is given here, and nothing says flag must be passed in order
> to change expired password.

> So maybe it should be rephrased to more precisely describe what it does?

I don't think there's anything imprecise here. It says nothing about the
superuser because that's not part of the spec; it's a side effect of the
application misusing the API.

If an application is enforcing a password change policy on the user by
forcing expired passwords to be reset, you must be passing
PAM_CHANGE_EXPIRED_AUTHTOK. The application should not be calling
pam_chauthtok() *without* PAM_CHANGE_EXPIRED_AUTHTOK unless there's a
user-initiated request for changing the password. It's just wrong for the
application to insist all un-expired authentication tokens be changed just
because one authentication token is expired.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>