Block passwd command for non-root user

The vyatta administrator needs to use Vyatta tools to change account
password.  Bug 4927

2 files changed, 9 insertions, 3 deletions

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index d1e834f3..5cb03651 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -129,7 +129,6 @@ EOF
 
     # Install pamradius config (should come with radius client eventually)
     cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius
-
 fi
 
 if [ "$sysconfdir" != "/opt/vyatta/etc" ]; then
@@ -170,6 +169,13 @@ sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf
 # Do not allow users to change full name field (controlled by Vyatta config)
 sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs
 
+# Only allow root to use passwd command
+if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
+    sed -i -e '/^@include/i \
+password	requisite pam_succeed_if.so user = root
+' /etc/pam.d/passwd
+fi
+
 # Block pc speaker driver to keep system quiet
 [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist
 
diff --git a/debian/vyatta-cfg-system.postrm b/debian/vyatta-cfg-system.postrm
index 46ec1aaa..5b22f66b 100644
--- a/debian/vyatta-cfg-system.postrm
+++ b/debian/vyatta-cfg-system.postrm
@@ -3,8 +3,8 @@
 if [ "$1" = "purge" ]; then
     rm -f /etc/udev/rules.d/*vyatta-net.rules
 
-    sed -i '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers
-
+    sed -i -e '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers
+    sed -i -e 'g/^password/d' /etc/pam.d/password
 fi
 
 # Local Variables: