search

minrk / pamela

Python PAM interface
Other
34 stars 10 forks source link

unable to Change_password for different user #18

Closed notoriou1pig closed 3 months ago

notoriou1pig commented 4 years ago

Hello,

I try to use this pamela module to change user password. It work great for the current user.

In the source code, there is this comment saying (Line 409) :

# Password x2 to answer the "Retype new UNIX password:" prompt
# TODO: If we're not running as root the first prompt will be
# 'current password' which we will not answer, so this will not work
# in that case.

I tryied to add a "current_password" in table containing the passwords in the new_simple_password_conv call :

conv_func = new_simple_password_conv((current_password, password, password), encoding)

I do not understand why it still does not work. It throw : pamela.PAMError: [PAM Error 20] Authentication token manipulation error As if passwords were not good. In my debug, I can see that current_password seems right because I go to the next step (new UNIX password prompt).

Here is my call : pamela.change_password("user", "oldPass", "newPass", service="passwd") And here is my outpout :

[b'newPass', b'newPass', b'oldPass']
----------------
<pamela.LP_LP_PamMessage** object at 0x7fb350e0e158>
----------------
b'o'
b'l'
b'd'
b'P'
b'a'
0
----------------
<pamela.LP_LP_PamMessage object at 0x7fb350e0e158>
----------------
b'n'
b'e'
b'w'
b'P'
b'a'
0
----------------
<pamela.LP_LP_PamMessage object at 0x7fb350e0e158>
----------------
b'n'
b'e'
b'w'
b'P'
b'a'
0
----------------
20
Traceback (most recent call last):
  File "test.py", line 11, in <module>
    ret = pamela.change_password("user", "oldPass", "newPass", service="passwd")
  File "/usr/local/lib/python3.6/dist-packages/pamela.py", line 440, in change_password
    return pam_end(handle, ret)
  File "/usr/local/lib/python3.6/dist-packages/pamela.py", line 362, in pam_end
    raise PAMError(errno=retval)
pamela.PAMError: [PAM Error 20] Authentication token manipulation error

Is there a way to get more debug info ? Or do you have any idea on what could happen ? Thanks in advance, I can provide more file if needed.

notoriousPig

Ebenholt commented 4 years ago

You get the authentication error because PAM doesnt allow you to change passwords for other users (this would be a security risk).

Just like the comment in the code says, you need to run as root if you want to change another users password.

This is not unique to this implementation of PAM, you get the same if you try to do the same in C (or any other language).

notoriou1pig commented 4 years ago

Thank you for your quickness.

I got it, what about the same user. When my user user run the same python line, it does the same. But I suppose my current user could change its own password no ?

Ebenholt commented 4 years ago

Yes, in theory. I am not a PAM expert and I havent yet found an example that manages to do that as the current user. For example the "passwd" utility uses the setuid bit so that it always runs as root. There are problems with the access rights in the /etc folder which usually makes it easier to run the process as root (which of course need to be done with cautious)

notoriou1pig commented 4 years ago

Okay, I checked the passwd utility and yep, it use the setuid bit.

Anyway, I'll find another solution. (Certainly something with the setuid bit).

Thanks a lot for your time. You can close this issue if you want. notoriousPig