2 files changed, 10 insertions, 6 deletions

diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index 11ac3aac..5f872d27 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -101,7 +101,10 @@ int main(int argc, char *argv[])
 	  /* if the caller specifies the username, verify that user
 	     matches it */
 	  if (strcmp(user, argv[1])) {
-	    return PAM_AUTH_ERR;
+	    user = argv[1];
+	    /* no match -> permanently change to the real user and proceed */
+	    if (setuid(getuid()) != 0)
+		return PAM_AUTH_ERR;
 	  }
 	}
 
diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c
index 595b7f8b..f54a59ce 100644
--- a/modules/pam_unix/unix_update.c
+++ b/modules/pam_unix/unix_update.c
@@ -1,11 +1,12 @@
 /*
- * This program is designed to run setuid(root) or with sufficient
- * privilege to read all of the unix password databases. It is designed
- * to provide a mechanism for the current user (defined by this
- * process' uid) to verify their own password.
+ * This program is designed to run with sufficient privilege
+ * to read and write all of the unix password databases.
+ * Its purpose is to allow updating the databases when
+ * SELinux confinement of the caller domain prevents them to
+ * do that themselves.
  *
  * The password is read from the standard input. The exit status of
- * this program indicates whether the user is authenticated or not.
+ * this program indicates whether the password was updated or not.
  *
  * Copyright information is located at the end of the file.
  *