amishmm
commented
4 months ago This will not work because pam_chauthtok (of PAM library) requires either same user or root.
So "http" user can not change password of other users.
You probably need to write separate setuid binary which does your job. OR use sudo configuration. Both has huge security risk if not done absolutely correctly.
Both are out of scope of php-pam.
I think best place to ask is PAM support at https://github.com/linux-pam/linux-pam
I noticed i was able to call a php script as root and change password, but even making /etc/shadow, /etc/passwd/ and /etc/group (this latter one was an odd suggestion i tried out of desperation) writable to http, i still get "Conversation error (in pam_chauthtok)" and i don't know where the issue is. strace is a bit of a mess to read, but my glance over didn't reveal anything obvious. It shouldn't be the /etc/pam.d/php file because, well, it worked as root. I'd like to use PAM to centralize the user account database (with email and other things), but i'd like to allow users to change passwords without having to use ssh. But i have no idea how to further look for the issue.