]> granicus.if.org Git - linux-pam/commitdiff
pam_cracklib: Add enforce_for_root option.
authorTomas Mraz <tmraz@fedoraproject.org>
Thu, 24 May 2012 11:40:24 +0000 (13:40 +0200)
committerTomas Mraz <tmraz@fedoraproject.org>
Thu, 24 May 2012 11:40:24 +0000 (13:40 +0200)
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
(pam_sm_chauthtok): Enforce errors for root with the option.
modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.

modules/pam_cracklib/pam_cracklib.8.xml
modules/pam_cracklib/pam_cracklib.c

index 5022c753d45e151d77efde86b29aa716c626b4f7..7c0ae700214cbe018079280305531b262b8e5aa0 100644 (file)
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term>
+            <option>enforce_for_root</option>
+          </term>
+          <listitem>
+            <para>
+              The module will return error on failed check also if the user
+              changing the password is root. This option is off by default
+              which means that just the message about the failed check is
+              printed but root can change the password anyway.
+            </para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term>
             <option>use_authtok</option>
index 96ee9954738de6d931281a20a18af4fe4f4ce09a..4c3030f5646584aea972230a9a9ffdc08631da05 100644 (file)
@@ -104,6 +104,7 @@ struct cracklib_options {
         int max_class_repeat;
        int reject_user;
         int gecos_check;
+        int enforce_for_root;
         const char *cracklib_dictpath;
 };
 
@@ -181,6 +182,8 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
                 opt->reject_user = 1;
         } else if (!strncmp(*argv,"gecoscheck",10)) {
                 opt->gecos_check = 1;
+        } else if (!strncmp(*argv,"enforce_for_root",16)) {
+                 opt->enforce_for_root = 1;
         } else if (!strncmp(*argv,"authtok_type",12)) {
           /* for pam_get_authtok, ignore */;
         } else if (!strncmp(*argv,"use_authtok",11)) {
@@ -757,7 +760,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
            if (ctrl & PAM_DEBUG_ARG)
              pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
            pam_error (pamh, _("BAD PASSWORD: %s"), crack_msg);
-           if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+           if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
              {
                pam_set_item (pamh, PAM_AUTHTOK, NULL);
                retval = PAM_AUTHTOK_ERR;
@@ -770,7 +773,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
          retval = _pam_unix_approve_pass (pamh, ctrl, &options,
                                           oldtoken, newtoken);
          if (retval != PAM_SUCCESS) {
-           if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+           if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
              {
                pam_set_item(pamh, PAM_AUTHTOK, NULL);
                retval = PAM_AUTHTOK_ERR;