GNOME Bugzilla – Bug 795182
Enforce password strength check if and only if user is not an administrator
Last modified: 2021-06-09 16:34:01 UTC
In Fedora we have a requirement to enforce the password strength check in the user panel if and only if user setting the password is not an administrator, i.e. admin users should always be allowed to set weak passwords. We were actually supposed to implement this over two years ago, but never did. Currently, the password strength check is always enforced. Do the control-center maintainers prefer to change this behavior upstream, or should we change it downstream just for Fedora? See bug #754213 for the gnome-initial-setup companion to this. And see bug #744735 for an earlier edition of this issue.
P.S. The reason we want to change this is that it's now possible to set passwords at install time that can never again be set in control-center. So if you change your password and decide you want to change it back, you might not be able to.
We should be consistent upstream, so if g-i-s revert those reverted patches to not enforce strong passwords, we should probably do the same here. It should not be a problem to not enforce strong password when creating a new user account or changing a password for another user, because accountsservice is used for it... But still, there is the case when you want to change the password for yourself because passwd is used directly due to the audit trail thing: https://gitlab.gnome.org/GNOME/gnome-control-center/blob/master/panels/user-accounts/um-password-dialog.c#L186 https://bugzilla.gnome.org/show_bug.cgi?id=744735#c8 To be honest, I am still not really sure that I understand what it means and whether it is still an issue currently. accountsservice uses usermod to change passwords currently, I wonder if it would help to just change that accountsservice code to use passwd instead. Or what is needed to be done here? Stef? Ray?
(In reply to Ondrej Holy from comment #2) > We should be consistent upstream, so if g-i-s revert those reverted patches > to not enforce strong passwords, we should probably do the same here. It > should not be a problem to not enforce strong password when creating a new > user account or changing a password for another user, because > accountsservice is used for it... But there is a subtlety. For Fedora, we *do* have to enforce the password strength check when an unprivileged user is changing his or her own password. > To be honest, I am still not really sure that I understand what it means and > whether it is still an issue currently. accountsservice uses usermod to > change passwords currently, I wonder if it would help to just change that > accountsservice code to use passwd instead. Or what is needed to be done > here? Stef? Ray? FWIW I remember suggesting exactly this a long time ago. Sounds good to me.
(In reply to Michael Catanzaro from comment #3) > But there is a subtlety. For Fedora, we *do* have to enforce the password > strength check when an unprivileged user is changing his or her own password. (This is a case that g-i-s does not have to worry about, because g-i-s always creates privileged administrator accounts.)
(In reply to Michael Catanzaro from comment #3) > But there is a subtlety. For Fedora, we *do* have to enforce the password > strength check when an unprivileged user is changing his or her own password. There is another subtlety. Consider a case that is common on openSUSE: the system has one unprivileged (non-administrator) user account and a root password. In this case, the user probably knows the root password and could bypass the password strength check if the user first unlocks the panel before attempting to change his or her password. However, unlocking the panel is not required to change the password. So the required behavior would be different depending on whether the panel is unlocked first. (Unlocking the panel would allow avoiding the password strength check.) I think we can simply ignore this case, because that is not really how GNOME is intended to be configured, but it seems worth pointing out since it is a bit weird.
Sorry for commenting four times in a row. I'm bad at Bugzilla. (In reply to Michael Catanzaro from comment #3) > FWIW I remember suggesting exactly this a long time ago. Sounds good to me. And now I remember why not to do this: it makes the operation fallible. Currently accountsservice bypasses PAM altogether by using usermod. If it were to use passwd instead, the operation would go through PAM and could fail due to system security policy. And since the libaccountsservice API ignores errors, and there would be no way to indicate to the user what is going wrong... that would probably be problematic.
But the problem is that even if the user is an administrator, passwd is needed when changing his password and it still requires strong passwords if it is not spawned under root and I don't think we want to do it in g-c-c... Btw the patches from the following bug would probably help: https://bugs.freedesktop.org/show_bug.cgi?id=51833
(In reply to Ondrej Holy from comment #7) > But the problem is that even if the user is an administrator, passwd is > needed when changing his password and it still requires strong passwords if > it is not spawned under root and I don't think we want to do it in g-c-c... Good point.
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new bug report at https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/ Thank you for your understanding and your help.