vlock: implement PAM account and password management
There seems to be a tradition for lockers to implement PAM account and
password management (account validation, changing expired passwords,
refreshing credentials) like login programs do.
Note that vlock may or may not need extra credentials to do account
and password management depending on the authentication scheme in use.
For example, in case of the tcb password shadowing scheme implemented
by pam_tcb, to authenticate the user, vlock should be installed as a
SGID-chkpwd executable to access tcb_chkpwd helper (which in turn is
usually installed as a more privileged SGID-shadow executable). To
perform account and password management, vlock should be installed as
a SGID-shadow executable itself (like passwd utility with the tcb
password shadowing scheme).
In case of the traditional password shadowing scheme implemented by
pam_unix, vlock needs no extra privileges to authenticate the user
(because of no restrictions to access unix_chkpwd helper), but should
be installed as a SUID-root executable to perform account and password
management (like passwd utility with the traditional password
shadowing scheme).
Fixes RH#913311.
projects / platform / upstream / kbd.git / commit