diff options
| author | Tomas Mraz <tmraz@fedoraproject.org> | 2012-05-24 13:40:24 +0200 |
|---|---|---|
| committer | Tomas Mraz <tmraz@fedoraproject.org> | 2012-05-24 13:40:24 +0200 |
| commit | ddf3ac65b547f331400d235e64a1dddce8d42155 (patch) | |
| tree | ed0e5d58b34cf170b0640de8f9338bd3a9376fe7 /modules/pam_cracklib | |
| parent | 422c19520fb814cfd8edd84d7989f4c52acbfa03 (diff) | |
| download | pam-ddf3ac65b547f331400d235e64a1dddce8d42155.tar.gz pam-ddf3ac65b547f331400d235e64a1dddce8d42155.tar.bz2 pam-ddf3ac65b547f331400d235e64a1dddce8d42155.zip | |
pam_cracklib: Add enforce_for_root option.
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
(pam_sm_chauthtok): Enforce errors for root with the option.
modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.
Diffstat (limited to 'modules/pam_cracklib')
| -rw-r--r-- | modules/pam_cracklib/pam_cracklib.8.xml | 14 | ||||
| -rw-r--r-- | modules/pam_cracklib/pam_cracklib.c | 7 |
2 files changed, 19 insertions, 2 deletions
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index 5022c753..7c0ae700 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -389,6 +389,20 @@ <varlistentry> <term> + <option>enforce_for_root</option> + </term> + <listitem> + <para> + The module will return error on failed check also if the user + changing the password is root. This option is off by default + which means that just the message about the failed check is + printed but root can change the password anyway. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> <option>use_authtok</option> </term> <listitem> diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index 96ee9954..4c3030f5 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -104,6 +104,7 @@ struct cracklib_options { int max_class_repeat; int reject_user; int gecos_check; + int enforce_for_root; const char *cracklib_dictpath; }; @@ -181,6 +182,8 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, opt->reject_user = 1; } else if (!strncmp(*argv,"gecoscheck",10)) { opt->gecos_check = 1; + } else if (!strncmp(*argv,"enforce_for_root",16)) { + opt->enforce_for_root = 1; } else if (!strncmp(*argv,"authtok_type",12)) { /* for pam_get_authtok, ignore */; } else if (!strncmp(*argv,"use_authtok",11)) { @@ -757,7 +760,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (ctrl & PAM_DEBUG_ARG) pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg); pam_error (pamh, _("BAD PASSWORD: %s"), crack_msg); - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) + if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { pam_set_item (pamh, PAM_AUTHTOK, NULL); retval = PAM_AUTHTOK_ERR; @@ -770,7 +773,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, retval = _pam_unix_approve_pass (pamh, ctrl, &options, oldtoken, newtoken); if (retval != PAM_SUCCESS) { - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) + if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { pam_set_item(pamh, PAM_AUTHTOK, NULL); retval = PAM_AUTHTOK_ERR; |