Subject: bin/935: make su(1) pay attention to expired passwords
To: None <gnats-admin@NetBSD.ORG>
From: Simon J. Gerraty <sjg@zen.void.oz.au>
List: netbsd-bugs
Date: 04/02/1995 13:20:05
>Number:         935
>Category:       bin
>Synopsis:       su(1) must be aware of password age/expiry too.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr  2 13:20:02 1995
>Originator:     Simon J. Gerraty
>Organization:
Zen Programming...
>Release:        Mar27 -current
>Environment:
	
System: NetBSD zen.void.oz.au 1.0A NetBSD 1.0A (ZEN) #0: Wed Mar 29 22:56:59 EST 1995 root@zen.void.oz.au:/d2/current/src/sys/arch/i386/compile/ZEN i386

>Description:
	
Given that many systems do not allow root logins, having su enforce
password age/expiry too is necessary.

The following patch makes su(1) warn of password ageing and account
expiry. Only the super user may su to an expired account or one with
an expired password.

>How-To-Repeat:
	
>Fix:
	
*** su/su.c.~1~	Wed May 25 22:46:15 1994
--- su/su.c	Sun Apr  2 14:47:04 1995
***************
*** 51,56 ****
--- 51,57 ----
  #include <pwd.h>
  #include <grp.h>
  #include <string.h>
+ #include <tzfile.h>
  #include <unistd.h>
  #include <paths.h>
  
***************
*** 66,71 ****
--- 67,76 ----
  #define	ARGSTR	"-flm"
  #endif
  
+ #ifndef WARN_DAYS
+ # define WARN_DAYS 7				/* give 1 week warning */
+ #endif
+ 
  extern char *crypt();
  int chshell();
  
***************
*** 79,84 ****
--- 84,90 ----
  	register struct passwd *pwd;
  	register char *p, **g;
  	struct group *gr;
+ 	struct timeval tp;
  	uid_t ruid, getuid();
  	int asme, ch, asthem, fastlogin, prio;
  	enum { UNSET, YES, NO } iscsh = UNSET;
***************
*** 269,274 ****
--- 275,307 ----
  	}
  			
  	*np = avshell;
+ 
+ 	if (pwd->pw_change || pwd->pw_expire)
+ 		(void)gettimeofday(&tp, (struct timezone *)NULL);
+ 	if (pwd->pw_change)
+ 		if (tp.tv_sec >= pwd->pw_change) {
+ 			(void)printf("%s -- %s's password has expired.\n",
+ 				     (ruid ? "Sorry" : "Note"),
+ 				     user);
+ 			if (ruid != 0)
+ 				exit(1);
+ 		} else if (pwd->pw_change - tp.tv_sec <
+ 		    WARN_DAYS * DAYSPERWEEK * SECSPERDAY)
+ 			(void)printf("Warning: %s's password expires on %s",
+ 				     user,
+ 				     ctime(&pwd->pw_change));
+ 	if (pwd->pw_expire)
+ 		if (tp.tv_sec >= pwd->pw_expire) {
+ 			(void)printf("%s -- %s's account has expired.\n",
+ 				     (ruid ? "Sorry" : "Note"),
+ 				     user);
+ 			if (ruid != 0)
+ 				exit(1);
+ 		} else if (pwd->pw_expire - tp.tv_sec <
+ 		    WARN_DAYS * DAYSPERWEEK * SECSPERDAY)
+ 			(void)printf("Warning: %s's account expires on %s",
+ 				     user,
+ 				     ctime(&pwd->pw_expire));
  
  	if (ruid != 0)
  		syslog(LOG_NOTICE|LOG_AUTH, "%s to %s%s",
>Audit-Trail:
>Unformatted: