PAM: how do I change someone else's password?
https://stackoverflow.com/questions/9304706
-
30-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What PAM call do I have to make to reset a user's password? I cannot figure it out.
Background:
I'm working on an embedded linux device. Customers install this device, and create user accounts. If one of those secondary user accounts gets locked out, or if a user forgets their password, we need a way where user #1 can reset the password for user #2. Our conversion to PAM is new, I'm in the middle of switching over to it now. Here are the calls I make to authenticate users:
pam_start();
pam_authenticate();
pam_acct_mgmt();
pam_end();
I see pam_chauthtok() for changing my own password, what I don't understand is if -- or how? -- I can use it or another similar call to assign a new password to another user account.
Solution
The whole point of having separate users is that they cannot do things like change each other's password. In order to change a user's password with PAM, you need to become that user. The easiest way to do this is to have a setuid-root binary, or a daemon that runs as root, which calls setuid, etc. to become the desired user then performs the operations to change password.
Of course this exposes your entire system to a great deal of risk, especially if you're not already skilled in these matters (which is clear from your question), so I'd think twice about whether this feature is necessary, and if so, whether you should hire an expert to handle it.
