From f65cb94d257c71b708bcaa270dd00cf26e8566c0 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 6 Apr 2010 08:07:11 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------

2010-04-06  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_rootok/pam_rootok.c: Add support for acct_mgmt
        and chauthtok.
        * modules/pam_rootok/pam_rootok.8.xml: Document new module
        types.
---
 modules/pam_rootok/pam_rootok.8.xml |  3 ++-
 modules/pam_rootok/pam_rootok.c     | 51 +++++++++++++++++++++++++++++--------
 2 files changed, 42 insertions(+), 12 deletions(-)

(limited to 'modules/pam_rootok')

diff --git a/modules/pam_rootok/pam_rootok.8.xml b/modules/pam_rootok/pam_rootok.8.xml
index e2d2441f..6f44b845 100644
--- a/modules/pam_rootok/pam_rootok.8.xml
+++ b/modules/pam_rootok/pam_rootok.8.xml
@@ -57,7 +57,8 @@
   <refsect1 id="pam_rootok-types">
     <title>MODULE TYPES PROVIDED</title>
     <para>
-      Only the <option>auth</option> type is provided.
+      The <option>auth</option>, <option>acct</option> and
+      <option>password</option> module types are provided.
     </para>
   </refsect1>
 
diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
index c5f6bb55..8d368cee 100644
--- a/modules/pam_rootok/pam_rootok.c
+++ b/modules/pam_rootok/pam_rootok.c
@@ -55,16 +55,11 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
     return ctrl;
 }
 
-/* --- authentication management functions (only) --- */
-
-PAM_EXTERN int
-pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
-		     int argc, const char **argv)
+static int
+check_for_root (pam_handle_t *pamh, int ctrl)
 {
-    int ctrl;
     int retval = PAM_AUTH_ERR;
 
-    ctrl = _pam_parse(pamh, argc, argv);
     if (getuid() == 0)
 #ifdef WITH_SELINUX
       if (is_selinux_enabled()<1 || checkPasswdAccess(PASSWD__ROOTOK)==0)
@@ -72,13 +67,26 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
 	retval = PAM_SUCCESS;
 
     if (ctrl & PAM_DEBUG_ARG) {
-	pam_syslog(pamh, LOG_DEBUG, "authentication %s",
-		   (retval==PAM_SUCCESS) ? "succeeded" : "failed");
+       pam_syslog(pamh, LOG_DEBUG, "root check %s",
+	          (retval==PAM_SUCCESS) ? "succeeded" : "failed");
     }
 
     return retval;
 }
 
+/* --- management functions --- */
+
+PAM_EXTERN int
+pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
+		     int argc, const char **argv)
+{
+    int ctrl;
+
+    ctrl = _pam_parse(pamh, argc, argv);
+
+    return check_for_root (pamh, ctrl);
+}
+
 PAM_EXTERN int
 pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
 		int argc UNUSED, const char **argv UNUSED)
@@ -86,6 +94,27 @@ pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
     return PAM_SUCCESS;
 }
 
+PAM_EXTERN int
+pam_sm_acct_mgmt (pam_handle_t *pamh, int flags UNUSED,
+		  int argc, const char **argv)
+{
+    int ctrl;
+
+    ctrl = _pam_parse(pamh, argc, argv);
+
+    return check_for_root (pamh, ctrl);
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok (pam_handle_t *pamh, int flags UNUSED,
+		  int argc, const char **argv)
+{
+    int ctrl;
+
+    ctrl = _pam_parse(pamh, argc, argv);
+
+    return check_for_root (pamh, ctrl);
+}
 
 #ifdef PAM_STATIC
 
@@ -95,10 +124,10 @@ struct pam_module _pam_rootok_modstruct = {
     "pam_rootok",
     pam_sm_authenticate,
     pam_sm_setcred,
+    pam_sm_acct_mgmt,
     NULL,
     NULL,
-    NULL,
-    NULL,
+    pam_sm_chauthtok,
 };
 
 #endif
-- 
cgit v1.2.3