PAM: don't trust AsRoot

1 files changed, 3 insertions, 7 deletions

diff --git a/go/parabola_hackers/nslcd_backend/db_pam.go b/go/parabola_hackers/nslcd_backend/db_pam.go
index 353fe5e..607c550 100644
--- a/go/parabola_hackers/nslcd_backend/db_pam.go
+++ b/go/parabola_hackers/nslcd_backend/db_pam.go
@@ -137,8 +137,9 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_
 		user := o.users[uid]
 
 		// Check the OldPassword
-		switch req.AsRoot {
-		case 0: /* user password */
+		if req.AsRoot == 1 && cred.Uid == 0 {
+			// bypass the password check
+		} else {
 			if !checkPassword(req.OldPassword, user.Passwd.PwHash) {
 				ret <- p.PAM_PwMod{
 					Result: p.NSLCD_PAM_PERM_DENIED,
@@ -146,11 +147,6 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_
 				}
 				return
 			}
-		case 1: /* root password */
-			// do nothing
-		default:
-			logger.Info("Invalid AsRoot value in PwMod request: %d", req.AsRoot)
-			return
 		}
 
 		// Update the PwHash in memory