tags 321384 fixed-in-experimental
thanks
The bug #321384 "su refuses to change an expired password for root"
has been fixed in last upload of the shadow package *in experimental*
Hence tagging it accordingly, we obviously forgot documenting this in
the changelog entry.
To bug submitter, could you check the experimental version of the
shadow package?
Tomasz, the patch applied is attached to this mail. Could you have a
look at it and integrate it in 4.0.13?
--
Goal: If an password is expired, su should propose to change this password.
This is important in systems without ssh, sudo and where root can't
login in console.
Fix: #321384
Status wrt upstream: proposed for 4.0.12
Note: When su is not compiled with PAM, there is no syslog messages.
Index: shadow-4.0.12/src/su.c
===================================================================
--- shadow-4.0.12.orig/src/su.c 2005-08-17 11:51:18.000000000 +0200
+++ shadow-4.0.12/src/su.c 2005-08-17 11:51:20.000000000 +0200
@@ -697,6 +697,16 @@
if (amroot) {
fprintf (stderr, _("%s: %s\n(Ignored)\n"), Prog,
pam_strerror (pamh, ret));
+ } else if (ret == PAM_NEW_AUTHTOK_REQD) {
+ ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (ret != PAM_SUCCESS) {
+ SYSLOG ((LOG_ERR, "pam_chauthtok: %s",
+ pam_strerror (pamh, ret)));
+ fprintf (stderr, _("%s: %s\n"), Prog,
+ pam_strerror (pamh, ret));
+ pam_end (pamh, ret);
+ su_failure (tty);
+ }
} else {
SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s",
pam_strerror (pamh, ret)));
@@ -745,10 +755,11 @@
if (!spwd)
spwd = pwd_to_spwd (&pwent);
- if (isexpired (&pwent, spwd)) {
- SYSLOG ((pwent.pw_uid ? LOG_WARN : LOG_CRIT,
- "Expired account %s", name));
- su_failure (tty);
+ if (expire (&pwent, spwd)) {
+ struct passwd *pwd = getpwnam (name);
+ spwd = getspnam (name);
+ if (pwd)
+ pwent = *pwd;
}
}
