- bugfixes/safe features from FC

[packages/pam.git] / pam-cracklib-enforce.patch

diff -urN -x .libs -x .deps Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README Linux-PAM-0.99.7.1/modules/pam_cracklib/README
--- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README	2006-08-24 13:26:55.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_cracklib/README	2007-02-04 20:18:11.098999356 +0100
@@ -162,6 +162,12 @@
 
     Path to the cracklib dictionaries.
 
+enforce=[none|users|all]
+
+    The module can be configured to warn of weak passwords only, but not
+    actually enforce strong passwords. The default, none, setting will enforce
+    strong passwords for non-root users only.
+
 EXAMPLES
 
 For an example of the use of this module, we show how it may be stacked with
diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8
--- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8	2006-08-24 12:04:29.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8	2007-02-04 19:59:32.105794691 +0100
@@ -167,6 +198,12 @@
 .RS 4
 Path to the cracklib dictionaries.
 .RE
+.PP
+\fBenforce=[\fR\fB\fInone\fR\fR\fB|\fR\fB\fIusers\fR\fR\fB|\fR\fB\fIall\fR\fR\fB]\fR
+.RS 4
+The module can be configured to warn of weak passwords only, but not actually enforce strong passwords. The default,
+\fInone\fR, setting will enforce strong passwords for non\-root users only.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only he
diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml
--- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml	2006-08-24 12:04:29.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml	2007-02-04 19:53:15.748347303 +0100
@@ -354,6 +354,20 @@
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term>
+	    <option>enforce=[<replaceable>none</replaceable>|<replaceable>users</replaceable>|<replaceable>all</replaceable>]</option>
+          </term>
+          <listitem>
+            <para>
+	      The module can be configured to warn of weak passwords
+	      only, but not actually enforce strong passwords.  The
+	      default, <replaceable>none</replaceable>, setting will
+	      enforce strong passwords for non-root users only.
+            </para>
+          </listitem>
+        </varlistentry>
+
       </variablelist>
     </para>
   </refsect1>
diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c
--- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c	2006-11-07 12:00:24.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c	2007-02-04 19:59:27.217516126 +0100
@@ -93,6 +93,7 @@
         int min_class;
 	int use_authtok;
 	int try_first_pass;
+	int enforce;
 	char prompt_type[BUFSIZ];
         char cracklib_dictpath[PATH_MAX];
 };
@@ -108,6 +109,10 @@
 #define CO_OTH_CREDIT   1
 #define CO_USE_AUTHTOK  0
 
+#define ENFORCE_NONE	0
+#define ENFORCE_USERS	1
+#define ENFORCE_ALL	2
+
 static int
 _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
             int argc, const char **argv)
@@ -161,6 +166,15 @@
 	 } else if (!strncmp(*argv,"dictpath=",9)) {
 	     strncpy(opt->cracklib_dictpath, *argv+9,
 		     sizeof(opt->cracklib_dictpath) - 1);
+	 } else if (!strncmp(*argv,"enforce=",8)) {
+	 	if (!strncmp(*argv+8,"none",4))
+			opt->enforce = ENFORCE_NONE;
+		else if (!strncmp(*argv+8,"users",5))
+			opt->enforce = ENFORCE_USERS;
+		else if (!strncmp(*argv+8,"all",8))
+			opt->enforce = ENFORCE_ALL;
+		else if (!strncmp(*argv+8,"everyone",8)) // compatibility
+			opt->enforce = ENFORCE_ALL;
 	 } else {
 	     pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
 	 }
@@ -512,6 +526,7 @@
     options.low_credit = CO_LOW_CREDIT;
     options.oth_credit = CO_OTH_CREDIT;
     options.use_authtok = CO_USE_AUTHTOK;
+    options.enforce = ENFORCE_USERS;
     memset(options.prompt_type, 0, BUFSIZ);
     strcpy(options.prompt_type,"UNIX");
     memset(options.cracklib_dictpath, 0,
@@ -613,10 +628,21 @@
                 if (ctrl & PAM_DEBUG_ARG)
                     pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
                 pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg);
-                if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+                if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
                     retval = PAM_AUTHTOK_ERR;
-                else
-                    retval = PAM_SUCCESS;
+		else switch (options.enforce) {
+			case ENFORCE_NONE:
+				retval = PAM_SUCCESS;
+				break;
+			case ENFORCE_USERS:
+				if (getuid()) retval = PAM_AUTHTOK_ERR;
+				else retval = PAM_SUCCESS;
+				break;
+			case ENFORCE_ALL:
+			default:
+				retval = PAM_AUTHTOK_ERR;
+				break;
+		}
             } else {
                 /* check it for strength too... */
 		D(("for strength"));
@@ -624,10 +650,21 @@
                 retval = _pam_unix_approve_pass (pamh, ctrl, &options,
 						 oldtoken, token1);
 		if (retval != PAM_SUCCESS) {
-		    if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+		    if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
 		        retval = PAM_AUTHTOK_ERR;
-		    else
-		        retval = PAM_SUCCESS;
+			else switch (options.enforce) {
+				case ENFORCE_NONE:
+					retval = PAM_SUCCESS;
+					break;
+				case ENFORCE_USERS:
+					if (getuid()) retval = PAM_AUTHTOK_ERR;
+					else retval = PAM_SUCCESS;
+					break;
+				case ENFORCE_ALL:
+				default:
+					retval = PAM_AUTHTOK_ERR;
+					break;
+			}
                 }
             }
         }