Bug 20952

> >Description:
> If a login account has an expiration date associated with it and
> that date passes, ftpd still allows login.
> >How-To-Repeat:
> Change the expiration date on an account with pw(1) and you'll
> still be able to login via FTP.
> >Fix:
> I would assume that FTPd should check the expiration date of an
> account as part of its security checks.

The problem occurs only when PAM authentication is used.  The ftpd
assumes that PAM will check the account expire date for it.  In the
pam_unix module, there's even a function, pam_sm_acct_mgmt(), that
does it, however, I can't find if it's ever called.

The patch below moves the expire date check to a place where it's run
even if PAM said everything's okay.  I don't know if this is a bug in
PAM or ftpd, but login(1) checks the expire date after PAM as well, so
I'm assuming it's okay to do it this way.

This patch was made against 4.1-STABLE as of 2000/08/29.  I don't know
if it will apply cleanly against a 4.0 system.

~~~~ start diff
Index: ftpd.c
===================================================================
RCS file: /stage/cvs/FreeBSD/src/libexec/ftpd/ftpd.c,v
retrieving revision 1.62.2.4
diff -u -r1.62.2.4 ftpd.c
--- ftpd.c	2000/08/17 12:33:12	1.62.2.4
+++ ftpd.c	2000/08/31 09:47:19
@@ -1194,10 +1194,13 @@
 		rval = strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd);
 #endif
 		/* The strcmp does not catch null passwords! */
-		if (*pw->pw_passwd == '\0' ||
-		    (pw->pw_expire && time(NULL) >= pw->pw_expire))
+		if (*pw->pw_passwd == '\0')
 			rval = 1;	/* failure */
 skip:
+		/* PAM doesn't check if the account expired like it should. */
+		if (pw->pw_expire && time(NULL) >= pw->pw_expire)
+			rval = 1;	/* failure */
+
 		/*
 		 * If rval == 1, the user failed the authentication check
 		 * above.  If rval == 0, either PAM or local authentication
~~~~ end diff

Hope this helps

--
Dima Dorfman <dima@unixfreak.org>
Finger dima@unixfreak.org for my public PGP key.

"Love is the triumph of imagination over intelligence."
        -- Henry Louis Mencken

I submitted a patch for PAM account management in ftpd.c in bin/29850.
-- 
"I came out of it dead broke, without a house, without anything, except
a girlfriend and a knowledge of Unix." "Well, that´s something. Normally
those two are mutually exclusive." N. Stephenson, "Cryptonomicon"

Comment 3 dwmalone 2001-08-18 20:08:51 UTC

Responsible Changed
From-To: freebsd-bugs->markm

Seemingly this is a PAM related problem.

Comment 4 Mark Murray 2001-08-27 11:53:33 UTC

State Changed
From-To: open->feedback

Fixed in 1.75 of ftpd.c for CURRENT. Please confirm that 
this works for you and I'll merge it to STABLE.

This is in feedback state since 2001. Looks it was never MFC-ed, so.
Still an issue on my 4.7 box.

Also related with http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/28311.


-- 
Pawe³ Ma³achowski

Comment 6 Mark Murray 2003-08-20 11:15:57 UTC

Responsible Changed
From-To: markm->des

Over to to the PAM expert.

Comment 7 Dag-Erling Smørgrav 2003-09-20 15:11:44 UTC

State Changed
From-To: feedback->suspended

Current state of the problem is not known.

Comment 8 Maxim Konovalov 2003-09-25 09:51:11 UTC

State Changed
From-To: suspended->open

The problem is not resolved yet (bin/57194).

The key part of the patch from 3 years ago (the check after the skip: 
label) does seem to work in 4.7 with just cursory testing...

Comment 10 Dag-Erling Smørgrav 2004-01-26 19:57:37 UTC

State Changed
From-To: open->closed

superseded by 35310