fix for pam proxy chauthtok

When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.

If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.

1 files changed, 3 insertions, 0 deletions

diff --git a/server/providers/dp_auth_util.c b/server/providers/dp_auth_util.c
index 99e57e2e8..630dafe8c 100644
--- a/server/providers/dp_auth_util.c
+++ b/server/providers/dp_auth_util.c
@@ -34,6 +34,7 @@ void pam_print_data(int l, struct pam_data *pd)
     DEBUG(l, ("authtok size: %d\n", pd->authtok_size));
     DEBUG(l, ("newauthtok type: %d\n", pd->newauthtok_type));
     DEBUG(l, ("newauthtok size: %d\n", pd->newauthtok_size));
+    DEBUG(l, ("priv: %d\n", pd->priv));
 }
 
 int pam_add_response(struct pam_data *pd, enum response_type type,
@@ -74,6 +75,7 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd)
                                    DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE,
                                        &(pd->newauthtok),
                                        pd->newauthtok_size,
+                                   DBUS_TYPE_INT32, &(pd->priv),
                                    DBUS_TYPE_INVALID);
 
     return ret;
@@ -99,6 +101,7 @@ bool dp_unpack_pam_request(DBusMessage *msg, struct pam_data *pd, DBusError *dbu
                                 DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE,
                                     &(pd->newauthtok),
                                     &(pd->newauthtok_size),
+                                DBUS_TYPE_INT32, &(pd->priv),
                                 DBUS_TYPE_INVALID);
 
     return ret;