Bug 883

Summary: sudo on AIX not prompting for password change if one is expired with STD_AUTH type
Product: Sudo Reporter: sangamesh <sangamesh.swamy>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.27   
Hardware: IBM   
OS: AIX   
Attachments: proposed patch to allow password change if it is expired
make check results

Description sangamesh 2019-05-24 09:13:37 MDT 
We have seen some limitation while using sudo on AIX.

If the authentication method is STD_AUTH and user password has expired, sudo allows users to complete the execution without prompting for password change.
In case of PAM_AUTH, sudo does prompt for the password change if one is expired.
Comment 1 sangamesh 2019-05-24 09:20:10 MDT 
Created attachment 525 [details]
proposed patch to allow password change if it is expired

Here are the different testing scenarios with the change.

-> when sudo command executes without any password expiry
   
   $ sudo cat /testfile
   Password: 
   test
   $ 


-> When sudo command is launched and ctlr-c is pressed

   $ sudo cat /testfile
   Password: 
   $ echo $?
   1

-> When user password expired.

   $ sudo cat /testfile
   Password: 
   [files]: 3004-610 You are required to change your password.
           Please choose a new one.
   Changing password for "testsudo"
   testsudo's Old password: 
   testsudo's New password: 
   Enter the new password again:
   test
   $ 

-> When ctrl-c is pressed in the middle of password change.

    $ sudo cat /testfile
    Password: 
    [files]: 3004-610 You are required to change your password.
            Please choose a new one.
    Changing password for "testsudo"
    testsudo's Old password: 
    3004-657 Terminating from signal.
    $ 


-> When wrongly entered old password or new passwords.

   
    $ sudo cat /testfile
    Password: 
    [files]: 3004-610 You are required to change your password.
            Please choose a new one.
    Changing password for "testsudo"
    testsudo's Old password: 
    3004-604 Your entry does not match the old password.
    Sorry, try again.
    Password: 
    [compat]: 3004-300 You entered an invalid login name or password.

    Sorry, try again.
    Password: 
    Changing password for "testsudo"
    testsudo's Old password: 
    testsudo's New password: 
    Enter the new password again:
    test
    $
Comment 2 sangamesh 2019-05-24 09:22:30 MDT 
Created attachment 526 [details]
make check results
Comment 3 Todd C. Miller 2019-05-27 08:54:26 MDT 
I've committed a version of this as:
https://www.sudo.ws/repos/sudo/rev/b1def2572198

Since passwd(1) on AIX sets the ADMCHG flag we have to run it as the user. 
 This means they need to re-enter the old password, unlike with su(1).  It should be possible to clear the flag with pwdadm(8) but that's probably not worth the effort.

This change will be in sudo 1.8.28.
Comment 4 sangamesh 2019-06-25 07:27:58 MDT 
Thanks todd for committing the changes!