[PATCH] s4:pwsettings: Added validation.

Andrew Kroeger andrew at id10ts.net
Mon Sep 7 02:38:33 MDT 2009 

Validate that each field is within its allowed range.  Also validate that the
maximum password age is greater than the minimum password length (if the maximum
password age is set).

I could not find these values documented anywhere in the WSPP docs.  I used the
values shown in the W2K8 GPMC, as it appears that the GPMC actuaally performs
the validation of values.
---
 source4/setup/pwsettings |   30 ++++++++++++++++++++++++++----
 1 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/source4/setup/pwsettings b/source4/setup/pwsettings
index bc65d2c..7206d71 100755
--- a/source4/setup/pwsettings
+++ b/source4/setup/pwsettings
@@ -125,6 +125,10 @@ elif args[0] == "set":
 		else:
 			pwd_hist_len = int(opts.history_length)
 
+		if pwd_hist_len < 0 or pwd_hist_len > 24:
+			print "ERROR: Password history length must be in the range of 0 to 24!"
+			sys.exit(1)
+
 		m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
 		  ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
 		msgs.append("Password history length changed!")
@@ -135,6 +139,10 @@ elif args[0] == "set":
 		else:
 			min_pwd_len = int(opts.min_pwd_length)
 
+		if min_pwd_len < 0 or min_pwd_len > 14:
+			print "ERROR: Minimum password length must be in the range of 0 to 14!"
+			sys.exit(1)
+
 		m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
 		  ldb.FLAG_MOD_REPLACE, "minPwdLength")
 		msgs.append("Minimum password length changed!")
@@ -144,10 +152,15 @@ elif args[0] == "set":
 			min_pwd_age = 0
 		else:
 			min_pwd_age = int(opts.min_pwd_age)
+
+		if min_pwd_age < 0 or min_pwd_age > 998:
+			print "ERROR: Minimum password age must be in the range of 0 to 998!"
+			sys.exit(1)
+
 		# days -> ticks
-		min_pwd_age = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
+		min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
 
-		m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age),
+		m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
 		  ldb.FLAG_MOD_REPLACE, "minPwdAge")
 		msgs.append("Minimum password age changed!")
 
@@ -156,13 +169,22 @@ elif args[0] == "set":
 			max_pwd_age = 43
 		else:
 			max_pwd_age = int(opts.max_pwd_age)
+
+		if max_pwd_age < 0 or max_pwd_age > 999:
+			print "ERROR: Maximum password age must be in the range of 0 to 999!"
+			sys.exit(1)
+
 		# days -> ticks
-		max_pwd_age = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
+		max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
 
-		m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age),
+		m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
 		  ldb.FLAG_MOD_REPLACE, "maxPwdAge")
 		msgs.append("Maximum password age changed!")
 
+	if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
+		print "ERROR: Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age)
+		sys.exit(1)
+
 	samdb.modify(m)
 
 	msgs.append("All changes applied successfully!")
-- 
1.6.0.6


--------------000702080806020802060003
Content-Type: text/plain;
 name="0005-s4-pwsettings-Add-default-option-for-password-com.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename*0="0005-s4-pwsettings-Add-default-option-for-password-com.patch"

More information about the samba-technical mailing list