Arch Linux

Description:

The default PAM configuration for system-auth allows bypassing checks for password and account expiration.

In /etc/pam.d/system-auth, there are the following configuration lines for the account service type:

-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so

which means that, for accounts that are managed by systemd-homed, the usual account checks enforced
by pam_unix.so are skipped.

The problem is, pam_systemd_home.so returns OK even for accounts _not_ managed by systemd-homed.
When logging in with such an account, pam_unix.so is systematically skipped from account
processing. The result is that no one ever checks password and account aging information,
allowing users with an expired password or account to login as long as the password is correct.

If this line:

-account [success=1 default=ignore] pam_systemd_home.so

is commented or moved after unix_pam.so, account checks against /etc/shadow aging info are
performed normally.

Additional info:
* package version(s)
pambase 20200721.1-2

* config and/or log files etc.
the default /etc/pam.d/system-auth stored in pambase

Steps to reproduce:

* create a test account and set its expiration date in the past:

useradd -e 2020-01-01 -m test
passwd test # Choose a password
chage -l test # Confirm that account expiration date is in the past

* switch to a VT and try to login with test. This should not be allowed, given the
account is expired, but works nonetheless.

* Now edit /etc/pam.d/system-auth and comment the offending line;

* switch to a VT and try to login with test. This time it fails as expected.