From b7399903540c95e89f0ee427fed1de07301fbd93 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Tue, 21 Dec 2021 20:38:03 -0600
Subject: pam_fscrypt: warn user if OLDAUTHTOK not given in chauthtok

If someone runs 'passwd USER' as root, the user is assigned a new login
passphrase without their fscrypt login protector being updated.  Detect
this case and show a warning message using pam_info().

Fixes https://github.com/google/fscrypt/issues/273
---
 pam/pam.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'pam/pam.c')

diff --git a/pam/pam.c b/pam/pam.c
index 1479dfa..1d6aefe 100644
--- a/pam/pam.c
+++ b/pam/pam.c
@@ -20,6 +20,7 @@
 #include "pam.h"
 
 #include <security/pam_appl.h>
+#include <security/pam_ext.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -107,3 +108,7 @@ void freeSecret(pam_handle_t* pamh, char* data, int error_status) {
   munlock(data, size);
   free(data);
 }
+
+void infoMessage(pam_handle_t* pamh, const char* message) {
+  pam_info(pamh, "%s", message);
+}
-- 
cgit v1.2.3