Full_Name: Ryan Tandy Version: 2.4 OS: Debian URL: Submission from: (NULL) (24.68.37.4)

If I write to the socket, un-base64ed:

AQAAACVOAAAGAAAAcnRhbmR5HAAAAHVpZD1ydGFuZHksZGM9ZXhhbXBsZSxkYz1jb20GAAAAcGFzc3dkAAAAAAQAAABhc2Rm

(pwmod action, uid 'rtandy', dn 'uid=rtandy,dc=example,dc=com', service 'passwd', opw '', npw 'asdf'90D

nssov will change rtandy's password, assuming ACLS permit userPassword mods by self.

Furthermore, if I set nssov-pwdmgr-dn to 'cn=pwdmgr,dc=example,dc=com' and then write to the socket, un-base64ed:

AQAAACVOAAAGAAAAcnRhbmR5GwAAAGNuPXB3ZG1ncixkYz1leGFtcGxlLGRjPWNvbQYAAABwYXNzd2QAAAAABAAAAGFzZGY=

(pwmod action, uid 'rtandy', dn 'cn=pwdmgr,dc=example,dc=com', service 'passwd', opw '', npw 'asdf')

then rtandy's password will be changed using pwdmgr privileges. IMO only root should be allowed to do this, not unprivileged users. (passwd(1) enforces the same rule.)

I also noticed that pwmod always bails out if no pwdmgr dn is configured, even if it shouldn't be needed (ie. user changing own password).

The following patches solve these problems by requiring the old password to be supplied unless working as pwdmgr; by only allowing root to authc or pwmod as pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check if it's not configured.

ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-only-allow-root-to-become-pwdmgr.patch ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-allow-user-pwmod-without-pwdmgr-configured.patch