diff options
| -rw-r--r-- | ChangeLog | 19 | ||||
| -rw-r--r-- | modules/pam_unix/unix_update.c | 13 |
2 files changed, 20 insertions, 12 deletions
@@ -1,3 +1,8 @@ +2008-11-28 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_unix/unix_update.c (set_password): Allow root to change + passwords without verification of the old ones. + 2008-11-25 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_pwhistory/opasswd.c (save_old_password): Fix typo. @@ -24,20 +29,20 @@ * doc/man/pam.conf-syntax.xml: Document the '-' at beginning of type. - * modules/pam_cracklib/pam_cracklib.c(pam_sm_chauthtok): Fix leaks + * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Fix leaks in error path. - * modules/pam_env/pam_env.c(_parse_env_file): Remove superfluous + * modules/pam_env/pam_env.c (_parse_env_file): Remove superfluous condition. - * modules/pam_group/pam_group.c(check_account): Fix leak + * modules/pam_group/pam_group.c (check_account): Fix leak in error path. - * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Fix leak + * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Fix leak in error path. - * modules/pam_securetty/pam_securetty.c(securetty_perform_check): Remove + * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Remove superfluous condition. - * modules/pam_stress/pam_stress.c(stress_get_password,pam_sm_authenticate): + * modules/pam_stress/pam_stress.c (stress_get_password,pam_sm_authenticate): Remove superfluous conditions. (pam_sm_chauthtok): Fix mistaken && for &. - * modules/pam_unix/pam_unix_auth.c(pam_sm_authenticate): Remove + * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Remove superfluous condition. All the problems fixed in this commit were found by Steve Grubb. diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index f54a59ce..702912d0 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -71,11 +71,14 @@ set_password(const char *forwho, const char *shadow, const char *remember) goto done; } - /* does pass agree with the official one? - we always allow change from null pass */ - retval = helper_verify_password(forwho, pass, 1); - if (retval != PAM_SUCCESS) { - goto done; + /* If real caller uid is not root we must verify that + received old pass agrees with the current one. + We always allow change from null pass. */ + if (getuid()) { + retval = helper_verify_password(forwho, pass, 1); + if (retval != PAM_SUCCESS) { + goto done; + } } /* first, save old password */ |