From 515546d1117ab89a3597176689273ce7734a77d3 Mon Sep 17 00:00:00 2001
From: Anton Gubarkov <anton.gubarkov@gmail.com>
Date: Fri, 15 Dec 2023 16:58:24 +0300
Subject: pam_exec: allow expose_authtok for password PAM_TYPE

Before this change, pam_exec allowed expose_authtok option to be
specified for "auth" PAM_TYPE only.

* modules/pam_exec/pam_exec.c (call_exec): Allow expose_authtok
to be specified for "password" PAM_TYPE.
* modules/pam_exec/pam_exec.8.xml: Document it.
---
 modules/pam_exec/pam_exec.8.xml | 4 ++--
 modules/pam_exec/pam_exec.c     | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'modules/pam_exec')

diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
index 13abe6e6..677d598a 100644
--- a/modules/pam_exec/pam_exec.8.xml
+++ b/modules/pam_exec/pam_exec.8.xml
@@ -103,7 +103,7 @@
           </term>
           <listitem>
             <para>
-              During authentication the calling command can read
+              During authentication and password change the calling command can read
               the password from <citerefentry>
               <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
               </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
@@ -313,4 +313,4 @@
       </para>
   </refsect1>
 
-</refentry>
\ No newline at end of file
+</refentry>
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index e79cb905..24c99a32 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -156,7 +156,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
 
   if (expose_authtok == 1)
     {
-      if (strcmp (pam_type, "auth") != 0)
+      if (strcmp (pam_type, "auth") != 0 && strcmp (pam_type, "password") != 0)
 	{
 	  pam_syslog (pamh, LOG_ERR,
 		      "expose_authtok not supported for type %s", pam_type);
-- 
cgit v1.2.3