From 013abf64fded40efdd5533114b03e16916cd1314 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <lukeshu@sbcglobal.net>
Date: Sat, 18 Jun 2016 02:09:56 -0400
Subject: PAM: more special cases

---
 go/parabola_hackers/nslcd_backend/db_pam.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/go/parabola_hackers/nslcd_backend/db_pam.go b/go/parabola_hackers/nslcd_backend/db_pam.go
index e20a63f..a0c390f 100644
--- a/go/parabola_hackers/nslcd_backend/db_pam.go
+++ b/go/parabola_hackers/nslcd_backend/db_pam.go
@@ -44,6 +44,14 @@ func hashPassword(newPassword p.String, oldHash p.String) p.String {
 	return p.String(crypt.Crypt(string(newPassword), salt))
 }
 
+func dirExists(path string) bool {
+	stat, err := os.Stat(path)
+	if err != nil {
+		return false
+	}
+	return stat.IsDir()
+}
+
 func (o *Hackers) PAM_Authentication(cred s.Ucred, req p.Request_PAM_Authentication) <-chan p.PAM_Authentication {
 	o.lock.RLock()
 	ret := make(chan p.PAM_Authentication)
@@ -141,6 +149,12 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_
 		if req.AsRoot == 1 && cred.Uid == 0 {
 			goto update
 		}
+		// special hack: if the old password is not
+		// set, but the home directory exists, let the
+		// user set their password
+		if string(user.Passwd.PwHash) == "!" && dirExists(string(user.Passwd.HomeDir)) {
+			goto update
+		}
 		if !checkPassword(req.OldPassword, user.Passwd.PwHash) {
 			ret <- p.PAM_PwMod{
 				Result: p.NSLCD_PAM_PERM_DENIED,
@@ -149,6 +163,13 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_
 			return
 		}
 	update:
+		if len(req.NewPassword) == 0 {
+			ret <- p.PAM_PwMod{
+				Result: p.NSLCD_PAM_PERM_DENIED,
+				Error:  p.String("password cannot be empty"),
+			}
+			return
+		}
 
 		// Update the PwHash in memory
 		user.Passwd.PwHash = hashPassword(req.NewPassword, user.Passwd.PwHash)
-- 
cgit v1.2.2