From nobody@FreeBSD.ORG  Wed Aug 30 16:27:57 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 28E5737B443; Wed, 30 Aug 2000 16:27:57 -0700 (PDT)
Message-Id: <20000830232757.28E5737B443@hub.freebsd.org>
Date: Wed, 30 Aug 2000 16:27:57 -0700 (PDT)
From: wmd@clearLearning.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftpd doesn't honor account expiration time
X-Send-Pr-Version: www-1.0

>Number:         20952
>Category:       bin
>Synopsis:       ftpd doesn't honor account expiration time
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 30 16:30:01 PDT 2000
>Closed-Date:    Mon Jan 26 11:57:38 PST 2004
>Last-Modified:  Mon Jan 26 11:57:38 PST 2004
>Originator:     Malcolm Duncan
>Release:        4.0
>Organization:
ClearLearning
>Environment:
FreeBSD XXX.clearlearning.com 4.0-STABLE FreeBSD 4.0-STABLE #0: Wed Jul 19 15:11:19 EST 2000     root@XXX.clearlearning.com:/usr/src
/sys/compile/CLEARLEARNING  i386

>Description:
If a login account has an expiration date associated with it and that date passes, ftpd still allows login.
>How-To-Repeat:
Change the expiration date on an account with pw(1) and you'll
still be able to login via FTP.
>Fix:
I would assume that FTPd should check the expiration date of an account as part of its security checks.

>Release-Note:
>Audit-Trail:

From: Dima Dorfman <dima@unixfreak.org>
To: wmd@clearLearning.com
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/20952: ftpd doesn't honor account expiration time
Date: Thu, 31 Aug 2000 03:06:03 -0700 (PDT)

 > >Description:
 > If a login account has an expiration date associated with it and
 > that date passes, ftpd still allows login.
 > >How-To-Repeat:
 > Change the expiration date on an account with pw(1) and you'll
 > still be able to login via FTP.
 > >Fix:
 > I would assume that FTPd should check the expiration date of an
 > account as part of its security checks.
 
 The problem occurs only when PAM authentication is used.  The ftpd
 assumes that PAM will check the account expire date for it.  In the
 pam_unix module, there's even a function, pam_sm_acct_mgmt(), that
 does it, however, I can't find if it's ever called.
 
 The patch below moves the expire date check to a place where it's run
 even if PAM said everything's okay.  I don't know if this is a bug in
 PAM or ftpd, but login(1) checks the expire date after PAM as well, so
 I'm assuming it's okay to do it this way.
 
 This patch was made against 4.1-STABLE as of 2000/08/29.  I don't know
 if it will apply cleanly against a 4.0 system.
 
 ~~~~ start diff
 Index: ftpd.c
 ===================================================================
 RCS file: /stage/cvs/FreeBSD/src/libexec/ftpd/ftpd.c,v
 retrieving revision 1.62.2.4
 diff -u -r1.62.2.4 ftpd.c
 --- ftpd.c	2000/08/17 12:33:12	1.62.2.4
 +++ ftpd.c	2000/08/31 09:47:19
 @@ -1194,10 +1194,13 @@
  		rval = strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd);
  #endif
  		/* The strcmp does not catch null passwords! */
 -		if (*pw->pw_passwd == '\0' ||
 -		    (pw->pw_expire && time(NULL) >= pw->pw_expire))
 +		if (*pw->pw_passwd == '\0')
  			rval = 1;	/* failure */
  skip:
 +		/* PAM doesn't check if the account expired like it should. */
 +		if (pw->pw_expire && time(NULL) >= pw->pw_expire)
 +			rval = 1;	/* failure */
 +
  		/*
  		 * If rval == 1, the user failed the authentication check
  		 * above.  If rval == 0, either PAM or local authentication
 ~~~~ end diff
 
 Hope this helps
 
 --
 Dima Dorfman <dima@unixfreak.org>
 Finger dima@unixfreak.org for my public PGP key.
 
 "Love is the triumph of imagination over intelligence."
         -- Henry Louis Mencken
 

From: Volker Stolz <stolz@i2.informatik.rwth-aachen.de>
To: freebsd-gnats-submit@FreeBSD.org, wmd@clearLearning.com
Cc:  
Subject: Re: bin/20952: ftpd doesn't honor account expiration time
Date: Sat, 18 Aug 2001 20:01:01 +0200

 This is a cryptographically signed message in MIME format.
 
 --------------msC917F3BAA5C6D9802490F85A
 Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: 8bit
 
 I submitted a patch for PAM account management in ftpd.c in bin/29850.
 -- 
 "I came out of it dead broke, without a house, without anything, except
 a girlfriend and a knowledge of Unix." "Well, thats something. Normally
 those two are mutually exclusive." N. Stephenson, "Cryptonomicon"
 --------------msC917F3BAA5C6D9802490F85A
 Content-Type: application/x-pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 Content-Description: S/MIME Cryptographic Signature
 
 MIIFmQYJKoZIhvcNAQcCoIIFijCCBYYCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
 A0YwggNCMIICq6ADAgECAg5ZtgAAAAIvAuEdW+x2hTANBgkqhkiG9w0BAQQFADCBvDELMAkG
 A1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoT
 MVRDIFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgxIjAg
 BgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDEgQ0ExKTAnBgkqhkiG9w0BCQEWGmNlcnRp
 ZmljYXRlQHRydXN0Y2VudGVyLmRlMB4XDTAxMDYxMTE2NDY1OVoXDTAyMDYxMTE2NDY1OVow
 VzELMAkGA1UEBhMCREUxFTATBgNVBAMTDFZvbGtlciBTdG9sejExMC8GCSqGSIb3DQEJARYi
 c3RvbHpAaTIuaW5mb3JtYXRpay5yd3RoLWFhY2hlbi5kZTCBnzANBgkqhkiG9w0BAQEFAAOB
 jQAwgYkCgYEA8yx0h5hC2nFxFa94YfCvUY1iZgkctI2yzzzLB5uEHoSiIv+a4sCO+x7zkiDY
 b6NvABATGrW7E6VWRjQu6QhQhJP7BQ4LUxDnG0p28q6WK177eW5r0Fpet01q/d0Jkm8nK72b
 AH4YEJ0MF3FyxUqCBeVlDcAJEalIigXXsia/WAkCAwEAAaOBqjCBpzAzBglghkgBhvhCAQgE
 JhYkaHR0cDovL3d3dy50cnVzdGNlbnRlci5kZS9ndWlkZWxpbmVzMBEGCWCGSAGG+EIBAQQE
 AwIFoDBdBglghkgBhvhCAQMEUBZOaHR0cHM6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2dpLWJp
 bi9jaGVjay1yZXYuY2dpLzU5QjYwMDAwMDAwMjJGMDJFMTFENUJFQzc2ODU/MA0GCSqGSIb3
 DQEBBAUAA4GBAIEDGk47MKqF6ekljkY0fsJcBCPFm98WXVweBZWLS1Hy1p+JDhlezAK3g6oc
 SaejAnkX7aAoeMPQBNAITVRg+zowhZon05e4wki9m8w7dBKGGl7Jmh5/LXiCE3ob7BBOhFtK
 Kt9sr+4Rdm/JoBiaYwDwTd2MKdwUgfaE67fWltICMYICGzCCAhcCAQEwgc8wgbwxCzAJBgNV
 BAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFU
 QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYD
 VQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAxIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZp
 Y2F0ZUB0cnVzdGNlbnRlci5kZQIOWbYAAAACLwLhHVvsdoUwCQYFKw4DAhoFAKCBojAYBgkq
 hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMTA4MTgxODAxMDFaMCMG
 CSqGSIb3DQEJBDEWBBSvR617nNtcHx7xVXV999ymLPhAizBDBgkqhkiG9w0BCQ8xNjA0MAoG
 CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBgkq
 hkiG9w0BAQEFAASBgLc6Y/GANp6SSHxzSy0qTK9NIL6ctzMHnWnIEqAosFlDZ90+6F+NBB2C
 aBld6bn9sy+clKI21x9mlYr2J0qU7ShCHhxF4iHIoYX2yVygSOPCmDvfarHoTgMNZoXDpoze
 Mca/Iy5a+dB/I+3j0SqQHK4anIEve8c312YAiSkRRXSC
 --------------msC917F3BAA5C6D9802490F85A--
 
Responsible-Changed-From-To: freebsd-bugs->markm 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Sat Aug 18 12:08:51 PDT 2001 
Responsible-Changed-Why:  
Seemingly this is a PAM related problem. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=20952 
State-Changed-From-To: open->feedback 
State-Changed-By: markm 
State-Changed-When: Mon Aug 27 03:53:33 PDT 2001 
State-Changed-Why:  
Fixed in 1.75 of ftpd.c for CURRENT. Please confirm that 
this works for you and I'll merge it to STABLE. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=20952 

From: =?iso-8859-2?Q?Pawe=B3_Ma=B3achowski?= <pawmal@unia.3lo.lublin.pl>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: markm@FreeBSD.org, wmd@clearLearning.com,
	freebsd-bugs@FreeBSD.org
Subject: bin/20952 (ftpd doesn't honor account expiration time) and bin/28311
Date: Tue, 19 Aug 2003 15:58:37 +0200

 This is in feedback state since 2001. Looks it was never MFC-ed, so.
 Still an issue on my 4.7 box.
 
 Also related with http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/28311.
 
 
 -- 
 Pawe Maachowski
Responsible-Changed-From-To: markm->des 
Responsible-Changed-By: markm 
Responsible-Changed-When: Wed Aug 20 03:15:57 PDT 2003 
Responsible-Changed-Why:  
Over to to the PAM expert. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20952 
State-Changed-From-To: feedback->suspended 
State-Changed-By: des 
State-Changed-When: Sat Sep 20 07:11:44 PDT 2003 
State-Changed-Why:  
Current state of the problem is not known. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20952 
State-Changed-From-To: suspended->open 
State-Changed-By: maxim 
State-Changed-When: Thu Sep 25 01:51:11 PDT 2003 
State-Changed-Why:  
The problem is not resolved yet (bin/57194). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20952 

From: Alan Batie <alan@batie.org>
To: freebsd-gnats-submit@FreeBSD.org, wmd@clearLearning.com
Cc:  
Subject: Re: bin/20952: ftpd doesn't honor account expiration time
Date: Thu, 25 Sep 2003 12:29:19 -0700

 This is a cryptographically signed message in MIME format.
 
 --------------ms030201060405060706000008
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
 
 The key part of the patch from 3 years ago (the check after the skip: 
 label) does seem to work in 4.7 with just cursory testing...
 
 --------------ms030201060405060706000008
 Content-Type: application/x-pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 Content-Description: S/MIME Cryptographic Signature
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII3TCC
 AskwggIyoAMCAQICAwq6EjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
 ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
 bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDMwOTEyMDEzNjA3WhcNMDQwOTExMDEzNjA3
 WjBAMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR0wGwYJKoZIhvcNAQkBFg5h
 bGFuQGJhdGllLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBgFotkCwIU
 TUtDH7sZCRfC68ZrW7KBK1LVWTA9sjq7Jn3fVn2E4jesMnc/YYByHn7BNb9QLClvjdGWwAIB
 FHvJE3n6d+di9XQxwbaYJXrCrDOLeVAUOb9ZqHb+NEsUrDluHRGio+1zHcH5An8DJ764LmbE
 buj4dQIbzU5FA9TRthMPMh6Wgg0xZfJDB4jR0RjJLhgxiQElwrQ050MmImetosvTmE67Zorw
 QJm4Jk81xv0Zjuo99OFApan2VaDqloI4TUEfl5vnECykEliUSUGIvCUZGo2U5G9hJElSD+ad
 uuOESCSAT9KJgWAtiSxJlmLvl6rhAkA0l0ZxHcdSRGMCAwEAAaMrMCkwGQYDVR0RBBIwEIEO
 YWxhbkBiYXRpZS5vcmcwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQASWV+EvC6h
 QxLOduwoOYXERcgN9wp7tOi/oHbC7MxOXKAgKxPbMQPxH6jFnDX2WDG0ajGSB/jqApkJABE6
 kYic5ka8ZFSYuilr0j31Yos2p/AzZQG++pLLn6oNOfrOkU/h5sNT9/rzARA/wFl/nXz+uHjb
 q6aVEo8mfgerqiK9jjCCAskwggIyoAMCAQICAwq6EjANBgkqhkiG9w0BAQQFADBiMQswCQYD
 VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
 AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDMwOTEyMDEzNjA3
 WhcNMDQwOTExMDEzNjA3WjBAMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMR0w
 GwYJKoZIhvcNAQkBFg5hbGFuQGJhdGllLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
 AQoCggEBAOBgFotkCwIUTUtDH7sZCRfC68ZrW7KBK1LVWTA9sjq7Jn3fVn2E4jesMnc/YYBy
 Hn7BNb9QLClvjdGWwAIBFHvJE3n6d+di9XQxwbaYJXrCrDOLeVAUOb9ZqHb+NEsUrDluHRGi
 o+1zHcH5An8DJ764LmbEbuj4dQIbzU5FA9TRthMPMh6Wgg0xZfJDB4jR0RjJLhgxiQElwrQ0
 50MmImetosvTmE67ZorwQJm4Jk81xv0Zjuo99OFApan2VaDqloI4TUEfl5vnECykEliUSUGI
 vCUZGo2U5G9hJElSD+aduuOESCSAT9KJgWAtiSxJlmLvl6rhAkA0l0ZxHcdSRGMCAwEAAaMr
 MCkwGQYDVR0RBBIwEIEOYWxhbkBiYXRpZS5vcmcwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B
 AQQFAAOBgQASWV+EvC6hQxLOduwoOYXERcgN9wp7tOi/oHbC7MxOXKAgKxPbMQPxH6jFnDX2
 WDG0ajGSB/jqApkJABE6kYic5ka8ZFSYuilr0j31Yos2p/AzZQG++pLLn6oNOfrOkU/h5sNT
 9/rzARA/wFl/nXz+uHjbq6aVEo8mfgerqiK9jjCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcN
 AQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT
 CUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRp
 ZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBG
 cmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNv
 bTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYD
 VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
 c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
 xKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkV
 cI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUq
 VIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMG
 A1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZy
 ZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp
 dmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIX
 oUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydx
 VyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8x
 ggM7MIIDNwIBATBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu
 ZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu
 ZyBDQQIDCroSMAkGBSsOAwIaBQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
 KoZIhvcNAQkFMQ8XDTAzMDkyNTE5MjkxOVowIwYJKoZIhvcNAQkEMRYEFDOKB7mz5i9i/Sbi
 H0XybCZcYwspMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA
 MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFr
 MGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
 ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMKuhIw
 egYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u
 c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg
 SXNzdWluZyBDQQIDCroSMA0GCSqGSIb3DQEBAQUABIIBAGpOW+UoeF1WefXLgu1HJa8bDnJL
 vcwHsoUExAFe5QIKRS2/pCoYKo+jCF6FKQ/2qI/vG27F9I10tciWZGB9z/fzVCHOk54HfCOE
 huOskHB7GQgPf2GFdx3CoLhNLCncHWeAU8v6NucKOmrc785OQfknageFGy8kjnXm1jru3HZL
 ccSEbLciZGRFc02TBdzSqQRMgdF3YA/a+/qz1VJSun+WXKz7SO3EABVcKiGs6kHR80/QseRV
 BasXdYAEaX7GTeT+91yN8NmfYUijaf5p+db9buxjPU1G4G13Tr2ddkxFys9swN4pFQo3H4uk
 r1XNf2BY6w/QLF5ImzNRU7nqDUkAAAAAAAA=
 --------------ms030201060405060706000008--
 
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Mon Jan 26 11:57:37 PST 2004 
State-Changed-Why:  
superseded by 35310 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20952 
>Unformatted:
