Ryan Tandy wrote:
On Mon, Mar 16, 2015 at 05:44:50PM +0000, hyc@symas.com wrote:
ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch
I think this patch is a bit off; it prevents root from supplying the old pwd. (Which it must do if changing its own.)
I don't follow, sorry. If root is the pwdmgr, then the current code already omits the old password, even if the request includes it, and passwd_extop() seems to be fine with that.
True.
And if root auths as a DN different from the pwdmgr DN, then it's a normal self-change and the old password is checked. Did I get some part of that wrong?
You could argue that we should always check the old password if provided, even when working as pwdmgr. I would agree with that. It's not what the current code does, though.
Right, I think if we're in here anyway we should fix that.
And on my systems at least, passwd running as root never asks for the current password, even when changing root's own password. (Of course that might be different elsewhere.)
Admittedly, it's been a long time since I've changed a root password, since I just use ssh keys most of the time.