diff options
-rw-r--r-- | doc/man/pam_pwquality.8 | 8 | ||||
-rw-r--r-- | src/pam_pwquality.c | 6 |
2 files changed, 13 insertions, 1 deletions
diff --git a/doc/man/pam_pwquality.8 b/doc/man/pam_pwquality.8 index 01a3bdf..b8269de 100644 --- a/doc/man/pam_pwquality.8 +++ b/doc/man/pam_pwquality.8 @@ -240,6 +240,14 @@ individually searched for and forbidden in the new password\&. By default the list is empty which means that this check is disabled\&. .RE .PP +\fBenforce_for_root\fR +.RS 4 +The module will return error on failed check even if the user changing the +password is root\&. This option is off by default which means that just +the message about the failed check is printed but root can change +the password anyway\&. +.RE +.PP \fBuse_authtok\fR .RS 4 This argument is used to diff --git a/src/pam_pwquality.c b/src/pam_pwquality.c index 4319602..52535c9 100644 --- a/src/pam_pwquality.c +++ b/src/pam_pwquality.c @@ -42,6 +42,7 @@ struct module_options { int retry_times; + int enforce_for_root; pwquality_settings_t *pwq; }; @@ -79,6 +80,8 @@ _pam_parse (pam_handle_t *pamh, struct module_options *opt, opt->retry_times = strtol(*argv+6, &ep, 10); if (!ep || (opt->retry_times < 1)) opt->retry_times = CO_RETRY_TIMES; + } else if (!strncmp(*argv, "enforce_for_root", 16)) { + opt->enforce_for_root = 1; } else if (!strncmp(*argv, "difignore=", 10)) { /* ignored for compatibility with pam_cracklib */ } else if (!strncmp(*argv, "reject_username", 15)) { @@ -177,7 +180,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, pam_syslog(pamh, LOG_DEBUG, "bad password: %s", msg); pam_error(pamh, _("BAD PASSWORD: %s"), msg); - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { + if (getuid() || options.enforce_for_root || + (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { pam_set_item(pamh, PAM_AUTHTOK, NULL); retval = PAM_AUTHTOK_ERR; continue; |