chage: Drop PAM support

The PAM support was only enabled with configure option
--enable-account-tools-setuid. The other account tools would use PAM
then to verify that the user is granted elevated permissions for
actions which normally only root can do.

In chage, however, any non-root user who does not specify the -l
command line option is denied access in check_perms. The check for
being root or not is done with getuid, so non-root users cannot
change user account's aging information in any possible way since
more than 18 years by now.

It's safe to say that nobody misses this non-existing feature. Biggest
benefit is to get chage out of the ACCT_TOOLS_SETUID group of tools.

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am
index b8e4321f101af7fd77878f270128edc38db87a73..a723e381e95aafe9e81949bb32ed913047671b0f 100644 (file)
--- a/etc/pam.d/Makefile.am
+++ b/etc/pam.d/Makefile.am
@@ -11,7 +11,6 @@ pamd_files = \
        passwd
 
 pamd_acct_tools_files = \
-       chage \
        chgpasswd \
        groupadd \
        groupdel \

diff --git a/etc/pam.d/chage b/etc/pam.d/chage
deleted file mode 100644 (file)
index 8f49f5c..0000000
--- a/etc/pam.d/chage
+++ /dev/null
@@ -1,4 +0,0 @@
-#%PAM-1.0
-auth           sufficient      pam_rootok.so
-account                required        pam_permit.so
-password       include         system-auth

diff --git a/man/chage.1.xml b/man/chage.1.xml
index 060409b83a78c506850f736434f96d635d7da9b8..b58011185bfbabb4c580b1bfac31b226571d0330 100644 (file)
--- a/man/chage.1.xml
+++ b/man/chage.1.xml
@@ -208,8 +208,7 @@
            found under the directory <replaceable>PREFIX_DIR</replaceable>.
            This option does not chroot and is intended for preparing a cross-compilation
            target.  Some limitations: NIS and LDAP users/groups are
-           not verified.  PAM authentication is using the host files.
-           No SELINUX support.
+           not verified.  No SELINUX support.
          </para>
        </listitem>
       </varlistentry>

diff --git a/src/Makefile.am b/src/Makefile.am
index d4e6f3ab710375efaecdb0f451df170060e58a23..6981815095314e07fa55f4097fe12fcda5af0bfb 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -99,7 +99,7 @@ else
 LIBCRYPT_NOPAM = $(LIBCRYPT)
 endif
 
-chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
+chage_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
 newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)

diff --git a/src/chage.c b/src/chage.c
index a7933e0d88c167ecfec84cb77341e6428d70ae5d..aed8e5b6fd5835f72c72bb59442acf0338b6952c 100644 (file)
--- a/src/chage.c
+++ b/src/chage.c
@@ -19,11 +19,6 @@
 #include <stdlib.h>
 #include <sys/types.h>
 #include <time.h>
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#endif                         /* USE_PAM */
-#endif                         /* ACCT_TOOLS_SETUID */
 #include <pwd.h>
 
 #include "atoi/a2i/a2s.h"
@@ -474,23 +469,10 @@ static void check_flags (int argc, int opt_index)
  *     (we will later make sure that the user is only listing her aging
  *     information)
  *
- *     With PAM support, the setuid bit can be set on chage to allow
- *     non-root users to groups.
- *     Without PAM support, only users who can write in the group databases
- *     can add groups.
- *
  *     It will not return if the user is not allowed.
  */
 static void check_perms (void)
 {
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-       pam_handle_t *pamh = NULL;
-       struct passwd *pampw;
-       int retval;
-#endif                         /* USE_PAM */
-#endif                         /* ACCT_TOOLS_SETUID */
-
        /*
         * An unprivileged user can ask for their own aging information, but
         * only root can change it, or list another user's aging
@@ -501,39 +483,6 @@ static void check_perms (void)
                fprintf (stderr, _("%s: Permission denied.\n"), Prog);
                fail_exit (E_NOPERM);
        }
-
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-       pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-       if (NULL == pampw) {
-               fprintf (stderr,
-                        _("%s: Cannot determine your user name.\n"),
-                        Prog);
-               exit (E_NOPERM);
-       }
-
-       retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-
-       if (PAM_SUCCESS == retval) {
-               retval = pam_authenticate (pamh, 0);
-       }
-
-       if (PAM_SUCCESS == retval) {
-               retval = pam_acct_mgmt (pamh, 0);
-       }
-
-       if (PAM_SUCCESS != retval) {
-               fprintf (stderr, _("%s: PAM: %s\n"),
-                        Prog, pam_strerror (pamh, retval));
-               SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-               if (NULL != pamh) {
-                       (void) pam_end (pamh, retval);
-               }
-               fail_exit (E_NOPERM);
-       }
-       (void) pam_end (pamh, retval);
-#endif                         /* USE_PAM */
-#endif                         /* ACCT_TOOLS_SETUID */
 }
 
 /*