From b7399903540c95e89f0ee427fed1de07301fbd93 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Tue, 21 Dec 2021 20:38:03 -0600
Subject: pam_fscrypt: warn user if OLDAUTHTOK not given in chauthtok

If someone runs 'passwd USER' as root, the user is assigned a new login
passphrase without their fscrypt login protector being updated.  Detect
this case and show a warning message using pam_info().

Fixes https://github.com/google/fscrypt/issues/273
---
 pam/pam.go | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'pam/pam.go')

diff --git a/pam/pam.go b/pam/pam.go
index 54a60e2..f79e2d4 100644
--- a/pam/pam.go
+++ b/pam/pam.go
@@ -166,6 +166,13 @@ func (h *Handle) err() error {
 	return errors.New(s)
 }
 
+// InfoMessage sends a message to the application using pam_info().
+func (h *Handle) InfoMessage(message string) {
+	cMessage := C.CString(message)
+	defer C.free(unsafe.Pointer(cMessage))
+	C.infoMessage(h.handle, cMessage)
+}
+
 // Transaction represents a wrapped pam_handle_t type created with pam_start
 // form an application.
 type Transaction Handle
-- 
cgit v1.2.3