From 374539da4c9e1b4ea5ca889771ce89b27b119f48 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <lukeshu@sbcglobal.net>
Date: Fri, 17 Jun 2016 22:29:02 -0400
Subject: PAM: don't trust AsRoot

---
 go/parabola_hackers/nslcd_backend/db_pam.go | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

(limited to 'go')

diff --git a/go/parabola_hackers/nslcd_backend/db_pam.go b/go/parabola_hackers/nslcd_backend/db_pam.go
index 353fe5e..607c550 100644
--- a/go/parabola_hackers/nslcd_backend/db_pam.go
+++ b/go/parabola_hackers/nslcd_backend/db_pam.go
@@ -137,8 +137,9 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_
 		user := o.users[uid]
 
 		// Check the OldPassword
-		switch req.AsRoot {
-		case 0: /* user password */
+		if req.AsRoot == 1 && cred.Uid == 0 {
+			// bypass the password check
+		} else {
 			if !checkPassword(req.OldPassword, user.Passwd.PwHash) {
 				ret <- p.PAM_PwMod{
 					Result: p.NSLCD_PAM_PERM_DENIED,
@@ -146,11 +147,6 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_
 				}
 				return
 			}
-		case 1: /* root password */
-			// do nothing
-		default:
-			logger.Info("Invalid AsRoot value in PwMod request: %d", req.AsRoot)
-			return
 		}
 
 		// Update the PwHash in memory
-- 
cgit v1.2.2