From 6249822c63f2cf1acccbae411ce6818a22729f51 Mon Sep 17 00:00:00 2001
From: Gleb Popov <6yearold@gmail.com>
Date: Thu, 12 Dec 2024 10:18:42 +0300
Subject: [PATCH] pam: Add option to allow changing auth token when running as
 root

:config: The pam_sss.so module gained a new option named "allow_chauthtok_by_root".
         It allows changing realm password for an arbitrary user via PAM when invoked by root.
---
 src/man/pam_sss.8.xml    | 19 +++++++++++++++++++
 src/sss_client/pam_sss.c |  4 +++-
 src/sss_client/sss_cli.h |  1 +
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index 1aa5ffcc044..0d32cd60750 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -56,6 +56,9 @@
             <arg choice='opt'>
                 <replaceable>require_cert_auth</replaceable>
             </arg>
+            <arg choice='opt'>
+                <replaceable>allow_chauthtok_by_root</replaceable>
+            </arg>
         </cmdsynopsis>
     </refsynopsisdiv>
 
@@ -249,6 +252,22 @@ auth sufficient pam_sss.so allow_missing_name
                     </para>
                 </listitem>
             </varlistentry>
+            <varlistentry>
+                <term>
+                    <option>allow_chauthtok_by_root</option>
+                </term>
+                <listitem>
+                    <para>
+                        By default the chauthtok PAM action will short-circuit to
+                        returning PAM_SUCCESS when pam_sss.so is invoked by root
+                        user.
+                    </para>
+                    <para>
+                        This option disables this behavior allowing to change
+                        auth tokens when running as root.
+                    </para>
+                </listitem>
+            </varlistentry>
         </variablelist>
     </refsect1>
 
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 9aec74ce361..ae72970821f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2472,6 +2472,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
             }
         } else if (strcmp(*argv, "quiet") == 0) {
             *quiet_mode = true;
+        } else if (strcmp(*argv, "allow_chauthtok_by_root") == 0) {
+            *flags |= PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT;
         } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
             *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
         } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
@@ -2756,7 +2758,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
     }
 
     if (pam_flags & PAM_PRELIM_CHECK) {
-        if (getuid() == 0 && !exp_data )
+        if (!(flags & PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT) && getuid() == 0 && !exp_data )
             return PAM_SUCCESS;
 
         if (flags & PAM_CLI_FLAGS_USE_2FA
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 02123f3a28a..4ffdafcfa71 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -429,6 +429,7 @@ enum pam_item_type {
 #define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
 #define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
 #define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
+#define PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT (1 << 10)
 
 #define SSS_NSS_MAX_ENTRIES 256
 #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)