From 6c5d51c9b72b65eb380bbf01bdbb3594c1887253 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Thu, 22 Jun 2023 08:00:00 +0000
Subject: [PATCH] pam_passwdqc: extend enforce=users setting to support
 chpasswd

Before this change, enforce=users was handled like enforce=everyone for
all PAM services except passwd.  Now, in addition to passwd, chpasswd
is another PAM service for which enforce=users setting will enforce
strong passwords for invocations by non-root users only.

The reason why the effect of enforce=users is limited to these two
services is that login services invoke the PAM stack as root, so if
change of expired password is forced then with enforce=users and no
service name check a non-root user would bypass password policy.

Suggested-by: Solar Designer <solar@openwall.com>
Resolves: https://github.com/openwall/passwdqc/issues/27
---
 CHANGES         |  3 +++
 README          |  6 ++++--
 pam_passwdqc.c  |  2 +-
 passwdqc.conf.5 | 10 +++++++++-
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 293ff0d..91d295a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Added pkg-config file.
 
+Changed enforce=users to support "chpasswd" PAM service in addition to
+traditionally supported "passwd".
+
 
 	Significant changes between 2.0.1 and 2.0.2.
 
diff --git a/README b/README
index be51a52..0561070 100644
--- a/README
+++ b/README
@@ -140,8 +140,10 @@ The "only" modifier can be used to disallow user-chosen passwords.
 	enforce=none|users|everyone	[enforce=everyone]
 
 The module can be configured to warn of weak passwords only, but not
-actually enforce strong passwords.  The "users" setting will enforce
-strong passwords for invocations by non-root users only.
+actually enforce strong passwords.  The "users" setting is like
+"everyone" for all PAM services except "chpasswd" and "passwd".
+For these two PAM services "users" will enforce strong passwords
+for invocations by non-root users only.
 
 	non-unix			[]
 
diff --git a/pam_passwdqc.c b/pam_passwdqc.c
index b421fa8..6be3d9e 100644
--- a/pam_passwdqc.c
+++ b/pam_passwdqc.c
@@ -296,7 +296,7 @@ static int am_root(pam_handle_t *pamh)
 		return 0;
 	service = item;
 
-	return !strcmp(service, "passwd");
+	return !strcmp(service, "passwd") || !strcmp(service, "chpasswd");
 }
 
 PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
diff --git a/passwdqc.conf.5 b/passwdqc.conf.5
index 86b4511..5f65931 100644
--- a/passwdqc.conf.5
+++ b/passwdqc.conf.5
@@ -228,7 +228,15 @@ The PAM module can be configured to warn of weak passwords only, but not
 actually enforce strong passwords.
 The
 .Cm users
-setting will enforce strong passwords for invocations by non-root users only.
+setting is like
+.Cm everyone
+for all PAM services except
+.Cm chpasswd
+and
+.Cm passwd .
+For these two PAM services
+.Cm users
+will enforce strong passwords for invocations by non-root users only.
 .It Cm non-unix
 Normally, the PAM module uses
 .Xr getpwnam 3