src/man/pam_sss.8.xml

-Original file line number
+Diff line change
@@ Expand Up / @@ -56,6 +56,9 @@ @@
                 <arg choice='opt'>
                     <replaceable>require_cert_auth</replaceable>
                 </arg>
+                <arg choice='opt'>
+                    <replaceable>allow_chauthtok_by_root</replaceable>
+                </arg>
             </cmdsynopsis>
         </refsynopsisdiv>
@@ Expand Down Expand Up / @@ -249,6 +252,22 @@ auth sufficient pam_sss.so allow_missing_name @@
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>
+                        <option>allow_chauthtok_by_root</option>
+                    </term>
+                    <listitem>
+                        <para>
+                            By default the chauthtok PAM action will short-circuit to
+                            returning PAM_SUCCESS when pam_sss.so is invoked by root
+                            user.
+                        </para>
+                        <para>
+                            This option disables this behavior allowing to change
+                            auth tokens when running as root.
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </refsect1>
@@ Expand Down @@

src/sss_client/pam_sss.c

-Original file line number
+Diff line change
@@ Expand Up @@
                 }
             } else if (strcmp(*argv, "quiet") == 0) {
                 *quiet_mode = true;
+            } else if (strcmp(*argv, "allow_chauthtok_by_root") == 0) {
+                *flags |= PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT;
             } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
                 *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
             } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
@@ Expand Down Expand Up @@
         }
         if (pam_flags & PAM_PRELIM_CHECK) {
-            if (getuid() == 0 && !exp_data )
+            if (!(flags & PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT) && getuid() == 0 && !exp_data )
                 return PAM_SUCCESS;
             if (flags & PAM_CLI_FLAGS_USE_2FA
@@ Expand Down @@

src/sss_client/sss_cli.h

-Original file line number
+Diff line change
@@ Expand Up / @@ -429,6 +429,7 @@ enum pam_item_type { @@
     #define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
     #define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
     #define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
+    #define PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT (1 << 10)
     #define SSS_NSS_MAX_ENTRIES 256
     #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
@@ Expand Down @@

pam: Do not prevent root from changing auth token #7761

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

arrowd wants to merge 1 commit into SSSD:master from arrowd:master

-Original file line number
+Diff line change
@@ Expand Up / @@ -56,6 +56,9 @@ @@
                 <arg choice='opt'>
                     <replaceable>require_cert_auth</replaceable>
                 </arg>
+                <arg choice='opt'>
+                    <replaceable>allow_chauthtok_by_root</replaceable>
+                </arg>
             </cmdsynopsis>
         </refsynopsisdiv>
@@ Expand Down Expand Up / @@ -249,6 +252,22 @@ auth sufficient pam_sss.so allow_missing_name @@
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>
+                        <option>allow_chauthtok_by_root</option>
+                    </term>
+                    <listitem>
+                        <para>
+                            By default the chauthtok PAM action will short-circuit to
+                            returning PAM_SUCCESS when pam_sss.so is invoked by root
+                            user.
+                        </para>
+                        <para>
+                            This option disables this behavior allowing to change
+                            auth tokens when running as root.
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </refsect1>
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
                 }
             } else if (strcmp(*argv, "quiet") == 0) {
                 *quiet_mode = true;
+            } else if (strcmp(*argv, "allow_chauthtok_by_root") == 0) {
+                *flags |= PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT;
             } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
                 *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
             } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
@@ Expand Down Expand Up @@
         }
         if (pam_flags & PAM_PRELIM_CHECK) {
-            if (getuid() == 0 && !exp_data )
+            if (!(flags & PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT) && getuid() == 0 && !exp_data )
                 return PAM_SUCCESS;
             if (flags & PAM_CLI_FLAGS_USE_2FA
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -429,6 +429,7 @@ enum pam_item_type { @@
     #define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
     #define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
     #define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
+    #define PAM_CLI_FLAGS_ALLOW_CHAUTHTOK_BY_ROOT (1 << 10)
     #define SSS_NSS_MAX_ENTRIES 256
     #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
@@ Expand Down @@

Provide feedback