From 585f6c06b2d3574935ed62c3084f2aadd6d1defb Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 28 May 2012 20:24:17 +0200 Subject: pam_pwhistory: Always record the old password even when root changes it. modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of the process instead of the target user UID (same as in pam_cracklib) to check for root. Always record old password. --- modules/pam_pwhistory/pam_pwhistory.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'modules/pam_pwhistory/pam_pwhistory.c') diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index 4c582bc2..e9b28eb1 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -155,10 +155,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (pwd == NULL) return PAM_USER_UNKNOWN; - /* Ignore root if not enforced */ - if (pwd->pw_uid == 0 && !options.enforce_for_root) - return PAM_SUCCESS; - if ((strcmp(pwd->pw_passwd, "x") == 0) || ((pwd->pw_passwd[0] == '#') && (pwd->pw_passwd[1] == '#') && @@ -211,11 +207,18 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (check_old_pass (pamh, user, newpass, options.debug) != PAM_SUCCESS) { - pam_error (pamh, - _("Password has been already used. Choose another.")); - newpass = NULL; - /* Remove password item, else following module will use it */ - pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); + if (getuid() || options.enforce_for_root || + (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) + { + pam_error (pamh, + _("Password has been already used. Choose another.")); + newpass = NULL; + /* Remove password item, else following module will use it */ + pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); + } + else + pam_info (pamh, + _("Password has been already used.")); } } -- cgit v1.2.3