/*
- * This program is designed to run setuid(root) or with sufficient
- * privilege to read all of the unix password databases. It is designed
- * to provide a mechanism for the current user (defined by this
- * process' uid) to verify their own password.
+ * This program is designed to run with sufficient privilege
+ * to read and write all of the unix password databases.
+ * Its purpose is to allow updating the databases when
+ * SELinux confinement of the caller domain prevents them to
+ * do that themselves.
*
* The password is read from the standard input. The exit status of
- * this program indicates whether the user is authenticated or not.
+ * this program indicates whether the password was updated or not.
*
* Copyright information is located at the end of the file.
*
#include <signal.h>
#include <time.h>
#include <sys/time.h>
-#ifdef WITH_SELINUX
-#include <selinux/selinux.h>
-#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0))
-static int selinux_enabled=-1;
-#else
-#define SELINUX_ENABLED 0
-#endif
#include <security/_pam_types.h>
#include <security/_pam_macros.h>
return PAM_AUTHTOK_LOCK_BUSY;
pwd = getpwnam(forwho);
-
+
if (pwd == NULL) {
retval = PAM_USER_UNKNOWN;
goto done;
}
- /* does pass agree with the official one?
+ /* does pass agree with the official one?
we always allow change from null pass */
retval = helper_verify_password(forwho, pass, 1);
if (retval != PAM_SUCCESS) {
if (geteuid() != 0) {
return PAM_CRED_INSUFFICIENT;
}
-
+
option = argv[2];
if (strcmp(option, "update") == 0) {