Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------
2008-11-28  Tomas Mraz <t8m@centrum.cz>

        * modules/pam_unix/unix_update.c (set_password): Allow root to change
        passwords without verification of the old ones.

diff --git a/ChangeLog b/ChangeLog
index 7bffdbcfebcbef21214d433058addf19c463b6ee..dc4ef37fa30c983d4d3f1cfd8e658927926ccf40 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2008-11-28  Tomas Mraz <t8m@centrum.cz>
+
+       * modules/pam_unix/unix_update.c (set_password): Allow root to change
+       passwords without verification of the old ones.
+
 2008-11-25  Thorsten Kukuk  <kukuk@thkukuk.de>
 
        * modules/pam_pwhistory/opasswd.c (save_old_password): Fix typo.
@@ -24,20 +29,20 @@
        * doc/man/pam.conf-syntax.xml: Document the '-' at beginning
        of type.
 
-       * modules/pam_cracklib/pam_cracklib.c(pam_sm_chauthtok): Fix leaks
+       * modules/pam_cracklib/pam_cracklib.c (pam_sm_chauthtok): Fix leaks
        in error path.
-       * modules/pam_env/pam_env.c(_parse_env_file): Remove superfluous
+       * modules/pam_env/pam_env.c (_parse_env_file): Remove superfluous
        condition.
-       * modules/pam_group/pam_group.c(check_account): Fix leak
+       * modules/pam_group/pam_group.c (check_account): Fix leak
        in error path.
-       * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Fix leak
+       * modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Fix leak
        in error path.
-       * modules/pam_securetty/pam_securetty.c(securetty_perform_check): Remove
+       * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Remove
        superfluous condition.
-       * modules/pam_stress/pam_stress.c(stress_get_password,pam_sm_authenticate):
+       * modules/pam_stress/pam_stress.c (stress_get_password,pam_sm_authenticate):
        Remove superfluous conditions.
        (pam_sm_chauthtok): Fix mistaken && for &.
-       * modules/pam_unix/pam_unix_auth.c(pam_sm_authenticate): Remove
+       * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Remove
        superfluous condition.
        All the problems fixed in this commit were found by Steve Grubb.
 

diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c
index f54a59cee9138dc03aec38d5d8f87032ce7f503d..702912d0e095e9d0773ea0fb5ca5adeaa8477245 100644 (file)
--- a/modules/pam_unix/unix_update.c
+++ b/modules/pam_unix/unix_update.c
@@ -71,11 +71,14 @@ set_password(const char *forwho, const char *shadow, const char *remember)
         goto done;
     }
 
-    /* does pass agree with the official one?
-       we always allow change from null pass */
-    retval = helper_verify_password(forwho, pass, 1);
-    if (retval != PAM_SUCCESS) {
-       goto done;
+    /* If real caller uid is not root we must verify that
+       received old pass agrees with the current one.
+       We always allow change from null pass. */
+    if (getuid()) {
+       retval = helper_verify_password(forwho, pass, 1);
+       if (retval != PAM_SUCCESS) {
+           goto done;
+       }
     }
 
     /* first, save old password */