pam_passwdqc: extend enforce=users setting to support chpasswd

ldv-alt · solardiz · commit 6c5d51c9b72b · 2023-06-22T18:29:27.000+02:00
Before this change, enforce=users was handled like enforce=everyone for all PAM services except passwd. Now, in addition to passwd, chpasswd is another PAM service for which enforce=users setting will enforce strong passwords for invocations by non-root users only. The reason why the effect of enforce=users is limited to these two services is that login services invoke the PAM stack as root, so if change of expired password is forced then with enforce=users and no service name check a non-root user would bypass password policy. Suggested-by: Solar Designer <solar@openwall.com> Resolves: #27
diff --git a/CHANGES b/CHANGES
@@ -2,6 +2,9 @@
 
 Added pkg-config file.
 
+Changed enforce=users to support "chpasswd" PAM service in addition to
+traditionally supported "passwd".
+
 
 	Significant changes between 2.0.1 and 2.0.2.
 
diff --git a/README b/README
@@ -140,8 +140,10 @@ The "only" modifier can be used to disallow user-chosen passwords.
 	enforce=none|users|everyone	[enforce=everyone]
 
 The module can be configured to warn of weak passwords only, but not
-actually enforce strong passwords.  The "users" setting will enforce
-strong passwords for invocations by non-root users only.
+actually enforce strong passwords.  The "users" setting is like
+"everyone" for all PAM services except "chpasswd" and "passwd".
+For these two PAM services "users" will enforce strong passwords
+for invocations by non-root users only.
 
 	non-unix			[]
 
diff --git a/pam_passwdqc.c b/pam_passwdqc.c
@@ -296,7 +296,7 @@ static int am_root(pam_handle_t *pamh)
 		return 0;
 	service = item;
 
-	return !strcmp(service, "passwd");
+	return !strcmp(service, "passwd") || !strcmp(service, "chpasswd");
 }
 
 PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
diff --git a/passwdqc.conf.5 b/passwdqc.conf.5
@@ -228,7 +228,15 @@ The PAM module can be configured to warn of weak passwords only, but not
 actually enforce strong passwords.
 The
 .Cm users
-setting will enforce strong passwords for invocations by non-root users only.
+setting is like
+.Cm everyone
+for all PAM services except
+.Cm chpasswd
+and
+.Cm passwd .
+For these two PAM services
+.Cm users
+will enforce strong passwords for invocations by non-root users only.
 .It Cm non-unix
 Normally, the PAM module uses
 .Xr getpwnam 3

Original file line number	Diff line number	Diff line change
`@@ -296,7 +296,7 @@ static int am_root(pam_handle_t *pamh)`
`296`	`296`	`return 0;`
`297`	`297`	`service = item;`
`298`	`298`
`299`		`- return !strcmp(service, "passwd");`
	`299`	`+ return !strcmp(service, "passwd") \|\| !strcmp(service, "chpasswd");`
`300`	`300`	`}`
`301`	`301`
`302`	`302`	`PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,`