From dcf257af0cc0ba8bb9d4ec2b311e5548459f6e72 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Fri, 12 Mar 2010 14:37:33 +0100
Subject: Prompt for old password even when running as root

When changing an expired password (during e.g. login) the PAM module needs
to prompt for the old password even when running as root.
---
 src/sss_client/pam_sss.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/sss_client')

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d62e9485c..2ba6f158e 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -979,11 +979,13 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
                                            int pam_flags)
 {
     int ret;
-
+    int *exp_data = NULL;
+    pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data);
+    
     /* we query for the old password during PAM_PRELIM_CHECK to make
      * pam_sss work e.g. with pam_cracklib */
     if (pam_flags & PAM_PRELIM_CHECK) {
-        if (getuid() != 0 && !(flags & FLAGS_USE_FIRST_PASS)) {
+        if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
             ret = prompt_password(pamh, pi, _("Current Password: "));
             if (ret != PAM_SUCCESS) {
                 D(("failed to get password from user"));
-- 
cgit