From 6cc57feb425d33e8f5921aad2716e8fc773285c4 Mon Sep 17 00:00:00 2001
From: Oskar Senft <osk@google.com>
Date: Wed, 5 Oct 2022 08:27:03 -0400
Subject: meta-google: Fix common-password to allow password change

Commit 951f1aabea4c8683cda113e743b68ad2dfd57fa8 removed the entry for
pam_cracklib.so from common-password. This resulted in the next entry in
the file to become the first module. However, as it still contained the
use_authtok flag, this forced the module to not prompt the user for a
new password and instead attempt to use the one provided by the
previously stacked password module. Since there is no previous stacked
password module, the process just fails.

This change adds code to remove the use_authtok entry from the first
password module to fix this issue.

Tested: Check that passwords can be changed again via "passwd".
Signed-off-by: Oskar Senft <osk@google.com>
Change-Id: Id88302732fe9d4c6e6c8cbb0004271d6ea2ac340
---
 meta-google/recipes-extended/pam/libpam_%.bbappend | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'meta-google')

diff --git a/meta-google/recipes-extended/pam/libpam_%.bbappend b/meta-google/recipes-extended/pam/libpam_%.bbappend
index 287dab7b14..d57b0eab15 100644
--- a/meta-google/recipes-extended/pam/libpam_%.bbappend
+++ b/meta-google/recipes-extended/pam/libpam_%.bbappend
@@ -12,4 +12,17 @@ RDEPENDS:${PN}-xtests:remove:gbmc = "${MLPREFIX}pam-plugin-cracklib-${libpam_suf
 do_install:append:gbmc() {
     # Remove reference to cracklib library from PAM config file
     sed -i '/pam_cracklib.so/d' ${D}${sysconfdir}/pam.d/common-password
+
+    # Remove the first occurrence of "use_authtok" in the first line starting
+    # with "password". This makes sure that if pam_cracklib.so was the first
+    # entry, we didn't invalidate the next entry in the stack. If the first
+    # entry has the "use_authtok" set, this "forces the module to not prompt
+    # the user for a new password but use the one provided by the previously
+    # stacked password module". Since there is no "previous" entry, it never
+    # asks for a password which causes the process to fail.
+    awk '/^password/ && !f{sub(/ use_authtok/, ""); f=1} 1' \
+        ${D}${sysconfdir}/pam.d/common-password \
+        > ${D}${sysconfdir}/pam.d/common-password.new
+    mv ${D}${sysconfdir}/pam.d/common-password.new \
+        ${D}${sysconfdir}/pam.d/common-password
 }
-- 
cgit v1.2.3