Bug 67142

Summary: [nis] rpc.yppasswdd incorrectly throws errors about invalid shells with -s
Product: Base System Reporter: Russell Cloran <russell>
Component: binAssignee: Marcelo Araujo <araujo>
Status: Closed FIXED    
Severity: Affects Only Me CC: araujo, sysadmin
Priority: Normal    
Version: 5.1-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Russell Cloran 2004-05-24 23:20:16 UTC 
The rpc.yppasswdd has an option to not allow shell changes (-s), but is
always passed a shell by the remote yppasswd. If an NIS client overrides the
shell provided by the ypserv, then yppasswd (pam_unix, actually, afaict)
will pass this new shell to the yppasswdd. If this shell has been set on the
client to a shell which is invalid on the server, a user will never be able
to change their password on the client.

It seems that the following thread on freebsd-questions is evidence of this problem:

http://www.freebsd.org/cgi/getmsg.cgi?fetch=1145286+1148268+/usr/local/www/db/text/2004/freebsd-questions/20040425.freebsd-questions

Fix: The following patch causes invalid shells not to be rejected if the shell is
not going to be changed anyways:
How-To-Repeat: With client passwd file containing something like

+:*:::::/sbin/nologin

and "/sbin/nologin" not in the server's /etc/shells, an attempt to use
passwd(1) causes the following error, as shown in the system logs:

May 24 14:53:39 shell rpc.yppasswdd[62598]: /sbin/nologin is not a valid shell
May 24 14:53:39 shell rpc.yppasswdd[62598]: rejecting change attempt: bad arguments
May 24 14:53:39 shell rpc.yppasswdd[62598]: client address: 10.0.0.2 username: russell

on the NIS client side, error output might look something like,

passwd: pam_chauthtok(): error in service module

and something like the following in the syslog,

May 25 00:05:19 server passwd: in pam_sm_chauthtok(): yppasswd_remote(): NIS password update failed: shell.rucus.ru.ac.za: RPC: Server can't decode arguments 

("server" is our NIS client)
Comment 1 Marcelo Araujo freebsd_committer freebsd_triage 2015-10-02 08:59:17 UTC 
Committed revision 288482.
Thank you for the patch.
Comment 2 commit-hook freebsd_committer freebsd_triage 2015-10-02 08:59:50 UTC 
A commit references this bug:

Author: araujo
Date: Fri Oct  2 08:58:51 UTC 2015
New revision: 288482
URL: https://svnweb.freebsd.org/changeset/base/288482

Log:
  The rpc.yppasswdd has an option to not allow shell changes (-s), but is
  always passed a shell by the remote yppasswd. If an NIS client overrides the
  shell provided by the ypserv, then yppasswd (pam_unix, actually, afaict)
  will pass this new shell to the yppasswdd. If this shell has been set on the
  client to a shell which is invalid on the server, a user will never be able
  to change their password on the client.

  PR:		67142
  Submitted by:	russell@rucus.ru.ac.za
  Approved by:	bapt (mentor)
  Sponsored by:	EuroBSDCon Sweden.

Changes:
  head/usr.sbin/rpc.yppasswdd/yppasswdd_server.c