From 51a06bc8cc2278c6e81c9c08a9381c9eb0d2de96 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Tue, 12 Dec 2023 20:09:45 +0100
Subject: pam_unix: sync expiry checks with shadow

The shadow library uses "greater than or equal to" checks instead of
current "greater than" checks in pam_unix.

The account expiry check is already "greater than or equal to" so this
adjustment can even be argued without making references to other
projects.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 modules/pam_unix/passverify.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'modules/pam_unix/passverify.c')

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index d5155b4c..a842b70d 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -322,20 +322,20 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 		if (spent->sp_inact >= 0) {
 			long inact = spent->sp_max < LONG_MAX - spent->sp_inact ?
 			    spent->sp_max + spent->sp_inact : LONG_MAX;
-			if (passed > inact) {
+			if (passed >= inact) {
 				*daysleft = subtract(inact, passed);
 				D(("authtok expired"));
 				return PAM_AUTHTOK_EXPIRED;
 			}
 		}
-		if (passed > spent->sp_max) {
+		if (passed >= spent->sp_max) {
 			D(("need a new password 2"));
 			return PAM_NEW_AUTHTOK_REQD;
 		}
 		if (spent->sp_warn >= 0) {
 			long warn = spent->sp_warn > spent->sp_max ? -1 :
 			    spent->sp_max - spent->sp_warn;
-			if (passed > warn) {
+			if (passed >= warn) {
 				*daysleft = subtract(spent->sp_max, passed);
 				D(("warn before expiry"));
 			}
-- 
cgit v1.2.3