From ddf3ac65b547f331400d235e64a1dddce8d42155 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 May 2012 13:40:24 +0200
Subject: pam_cracklib: Add enforce_for_root option.

modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
(pam_sm_chauthtok): Enforce errors for root with the option.
modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.
---
 modules/pam_cracklib/pam_cracklib.8.xml | 14 ++++++++++++++
 modules/pam_cracklib/pam_cracklib.c     |  7 +++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml
index 5022c753..7c0ae700 100644
--- a/modules/pam_cracklib/pam_cracklib.8.xml
+++ b/modules/pam_cracklib/pam_cracklib.8.xml
@@ -387,6 +387,20 @@
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term>
+            <option>enforce_for_root</option>
+          </term>
+          <listitem>
+            <para>
+              The module will return error on failed check also if the user
+              changing the password is root. This option is off by default
+              which means that just the message about the failed check is
+              printed but root can change the password anyway.
+            </para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term>
             <option>use_authtok</option>
diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
index 96ee9954..4c3030f5 100644
--- a/modules/pam_cracklib/pam_cracklib.c
+++ b/modules/pam_cracklib/pam_cracklib.c
@@ -104,6 +104,7 @@ struct cracklib_options {
         int max_class_repeat;
 	int reject_user;
         int gecos_check;
+        int enforce_for_root;
         const char *cracklib_dictpath;
 };
 
@@ -181,6 +182,8 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
 		 opt->reject_user = 1;
 	 } else if (!strncmp(*argv,"gecoscheck",10)) {
 		 opt->gecos_check = 1;
+	 } else if (!strncmp(*argv,"enforce_for_root",16)) {
+		  opt->enforce_for_root = 1;
 	 } else if (!strncmp(*argv,"authtok_type",12)) {
 	   /* for pam_get_authtok, ignore */;
 	 } else if (!strncmp(*argv,"use_authtok",11)) {
@@ -757,7 +760,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 	    if (ctrl & PAM_DEBUG_ARG)
 	      pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
 	    pam_error (pamh, _("BAD PASSWORD: %s"), crack_msg);
-	    if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+	    if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
 	      {
 		pam_set_item (pamh, PAM_AUTHTOK, NULL);
 		retval = PAM_AUTHTOK_ERR;
@@ -770,7 +773,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 	  retval = _pam_unix_approve_pass (pamh, ctrl, &options,
 					   oldtoken, newtoken);
 	  if (retval != PAM_SUCCESS) {
-	    if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+	    if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
 	      {
 		pam_set_item(pamh, PAM_AUTHTOK, NULL);
 		retval = PAM_AUTHTOK_ERR;
-- 
cgit v1.2.3