Bug 883 – sudo on AIX not prompting for password change if one is expired with STD_AUTH type

Bug 883 - sudo on AIX not prompting for password change if one is expired with STD_AUTH type


Summary:	sudo on AIX not prompting for password change if one is expired with STD_AUTH...

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.27
Hardware:	IBM AIX

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-05-24 09:13 MDT by sangamesh
Modified:	2019-06-25 07:27 MDT (History)
CC List:	0 users

See Also:

Attachments
proposed patch to allow password change if it is expired (2.47 KB, patch) 2019-05-24 09:20 MDT, sangamesh	Details \| Diff
make check results (7.70 KB, application/octet-stream) 2019-05-24 09:22 MDT, sangamesh	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description sangamesh 2019-05-24 09:13:37 MDT

We have seen some limitation while using sudo on AIX.

If the authentication method is STD_AUTH and user password has expired, sudo allows users to complete the execution without prompting for password change.
In case of PAM_AUTH, sudo does prompt for the password change if one is expired.

Comment 1 sangamesh 2019-05-24 09:20:10 MDT

Created attachment 525 [details]
proposed patch to allow password change if it is expired

Here are the different testing scenarios with the change.

-> when sudo command executes without any password expiry
   
   $ sudo cat /testfile
   Password: 
   test
   $ 


-> When sudo command is launched and ctlr-c is pressed

   $ sudo cat /testfile
   Password: 
   $ echo $?
   1

-> When user password expired.

   $ sudo cat /testfile
   Password: 
   [files]: 3004-610 You are required to change your password.
           Please choose a new one.
   Changing password for "testsudo"
   testsudo's Old password: 
   testsudo's New password: 
   Enter the new password again:
   test
   $ 

-> When ctrl-c is pressed in the middle of password change.

    $ sudo cat /testfile
    Password: 
    [files]: 3004-610 You are required to change your password.
            Please choose a new one.
    Changing password for "testsudo"
    testsudo's Old password: 
    3004-657 Terminating from signal.
    $ 


-> When wrongly entered old password or new passwords.

   
    $ sudo cat /testfile
    Password: 
    [files]: 3004-610 You are required to change your password.
            Please choose a new one.
    Changing password for "testsudo"
    testsudo's Old password: 
    3004-604 Your entry does not match the old password.
    Sorry, try again.
    Password: 
    [compat]: 3004-300 You entered an invalid login name or password.

    Sorry, try again.
    Password: 
    Changing password for "testsudo"
    testsudo's Old password: 
    testsudo's New password: 
    Enter the new password again:
    test
    $

Comment 2 sangamesh 2019-05-24 09:22:30 MDT

Created attachment 526 [details]
make check results

Comment 3 Todd C. Miller 2019-05-27 08:54:26 MDT

I've committed a version of this as:
https://www.sudo.ws/repos/sudo/rev/b1def2572198

Since passwd(1) on AIX sets the ADMCHG flag we have to run it as the user. 
 This means they need to re-enter the old password, unlike with su(1).  It should be possible to clear the flag with pwdadm(8) but that's probably not worth the effort.

This change will be in sudo 1.8.28.

Comment 4 sangamesh 2019-06-25 07:27:58 MDT

Thanks todd for committing the changes!