pam_passwdqc: extend enforce=users setting to support chpasswd

Before this change, enforce=users was handled like enforce=everyone for all PAM services except passwd. Now, in addition to passwd, chpasswd is another PAM service for which enforce=users setting will enforce strong passwords for invocations by non-root users only. The reason why the effect of enforce=users is limited to these two services is that login services invoke the PAM stack as root, so if change of expired password is forced then with enforce=users and no service name check a non-root user would bypass password policy. Suggested-by: Solar Designer <[email protected]> Resolves: #27
openwall · Jun 22, 2023 · 6c5d51c · 6c5d51c
1 parent 4d1742b
commit 6c5d51c
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/CHANGES b/CHANGES
@@ -2,6 +2,9 @@
 
 Added pkg-config file.
 
+Changed enforce=users to support "chpasswd" PAM service in addition to
+traditionally supported "passwd".
+
 
 	Significant changes between 2.0.1 and 2.0.2.
 

diff --git a/README b/README
@@ -140,8 +140,10 @@ The "only" modifier can be used to disallow user-chosen passwords.
 	enforce=none|users|everyone	[enforce=everyone]
 
 The module can be configured to warn of weak passwords only, but not
-actually enforce strong passwords.  The "users" setting will enforce
-strong passwords for invocations by non-root users only.
+actually enforce strong passwords.  The "users" setting is like
+"everyone" for all PAM services except "chpasswd" and "passwd".
+For these two PAM services "users" will enforce strong passwords
+for invocations by non-root users only.
 
 	non-unix			[]
 

diff --git a/pam_passwdqc.c b/pam_passwdqc.c
@@ -296,7 +296,7 @@ static int am_root(pam_handle_t *pamh)
 		return 0;
 	service = item;
 
-	return !strcmp(service, "passwd");
+	return !strcmp(service, "passwd") || !strcmp(service, "chpasswd");
 }
 
 PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,

diff --git a/passwdqc.conf.5 b/passwdqc.conf.5
@@ -228,7 +228,15 @@ The PAM module can be configured to warn of weak passwords only, but not
 actually enforce strong passwords.
 The
 .Cm users
-setting will enforce strong passwords for invocations by non-root users only.
+setting is like
+.Cm everyone
+for all PAM services except
+.Cm chpasswd
+and
+.Cm passwd .
+For these two PAM services
+.Cm users
+will enforce strong passwords for invocations by non-root users only.
 .It Cm non-unix
 Normally, the PAM module uses
 .Xr getpwnam 3