Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77159

PASS_MIN_DAYS (chage -m <day> root) doesn't work as intended for "root" user (If intended, this behaviour should be documented well in man-page)

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-8.10, rhel-9.5
    • shadow-utils
    • No
    • Moderate
    • rhel-idm-sssd
    • ssg_idm
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      PASS_MIN_DAYS in /etc/login.defs  or 

      chage -m <day> root

       doesn't work as intended for "root" user.

      If this behaviour intended then it should be properly documented in man-page. 

      What is the impact of this issue to you?

      Unable to set the minimum number of days between password change for root user (to restrict password change for root user frequently).

      man-page of 'chage' or login.defs doesn't talk about this behaviour:

      # man chage
       -m, --mindays MIN_DAYS
           Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that
           the user may change their password at any time.
 
# man login.defs
       PASS_MIN_DAYS (number)
           The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be
           rejected. If not specified, -1 will be assumed (which disables the restriction).

      Please provide the package NVR for which the bug is seen:

      shadow-utils-4.6-22.el8.x86_64.rpm

      shadow-utils-4.9-12.el9.x86_64.rpm

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Set MIN_DAYS for root user via 'chage'.
      2. Then try to change password for root user frequently:  
        [root@master ~]# chage -m 10 root
[root@master ~]# chage -l root
Last password change : Jan 30, 2025
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 10  <---
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
 
[root@master ~]# passwd
Changing password for user root.
New password: 
BAD PASSWORD: The password is a palindrome
Retype new password: 
passwd: all authentication tokens updated successfully.
 
[root@master ~]# passwd
Changing password for user root.
New password: 
BAD PASSWORD: The password is a palindrome
Retype new password: 
passwd: all authentication tokens updated successfully.
      1.  For normal local user, a WARNING is thrown & password change is rejected: 
        You must wait longer to change your password
passwd: Authentication token manipulation error

      Expected results

      Either this issue should be fixed for "root" account & password change should be rejected

      Or it should be documented in man-page if this behaviour is expected. 

      Actual results

      Even if MIN_DAYS is set, password change works every time without any restriction. 

              ipedrosa@redhat.com Iker Pedrosa
              rhn-support-asakure Akshay Sakure
              Iker Pedrosa Iker Pedrosa
              Anuj Borah Anuj Borah
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: