From a6e173ee3355f49affa5d31181daa19bb6c1229d Mon Sep 17 00:00:00 2001
From: des <des@FreeBSD.org>
Date: Fri, 26 Apr 2002 19:28:17 +0000
Subject: Don't ask root for the old password, except in the NIS case.

Sponsored by:	DARPA, NAI Labs
---
 lib/libpam/modules/pam_unix/pam_unix.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'lib/libpam')

diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index 510eb39..cdf1955 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -313,6 +313,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 
 		PAM_LOG("PRELIM round");
 
+		if (getuid() == 0 &&
+		    (pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES)
+			/* root doesn't need the old password */
+			return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
+
 		if (pwd->pw_passwd[0] == '\0'
 		    && pam_test_option(&options, PAM_OPT_NULLOK, NULL)) {
 			/*
@@ -338,7 +343,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 		PAM_LOG("UPDATE round");
 
 		retval = pam_get_authtok(pamh,
-		    PAM_AUTHTOK, &old_pass, NULL);
+		    PAM_OLDAUTHTOK, &old_pass, NULL);
 		if (retval != PAM_SUCCESS)
 			return (retval);
 		PAM_LOG("Got old password");
-- 
cgit v1.1