From d012c2ba684651a217ef9491a999b6a735b57526 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Tue, 14 Jan 2025 17:42:21 +0100
Subject: [PATCH] chage: Drop PAM support

The PAM support was only enabled with configure option
--enable-account-tools-setuid. The other account tools would use PAM
then to verify that the user is granted elevated permissions for
actions which normally only root can do.

In chage, however, any non-root user who does not specify the -l
command line option is denied access in check_perms. The check for
being root or not is done with getuid, so non-root users cannot
change user account's aging information in any possible way since
more than 18 years by now.

It's safe to say that nobody misses this non-existing feature. Biggest
benefit is to get chage out of the ACCT_TOOLS_SETUID group of tools.

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 etc/pam.d/Makefile.am |  1 -
 etc/pam.d/chage       |  4 ----
 man/chage.1.xml       |  3 +--
 src/Makefile.am       |  2 +-
 src/chage.c           | 51 -------------------------------------------
 5 files changed, 2 insertions(+), 59 deletions(-)
 delete mode 100644 etc/pam.d/chage

diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am
index b8e4321f1..a723e381e 100644
--- a/etc/pam.d/Makefile.am
+++ b/etc/pam.d/Makefile.am
@@ -11,7 +11,6 @@ pamd_files = \
 	passwd
 
 pamd_acct_tools_files = \
-	chage \
 	chgpasswd \
 	groupadd \
 	groupdel \
diff --git a/etc/pam.d/chage b/etc/pam.d/chage
deleted file mode 100644
index 8f49f5cc8..000000000
--- a/etc/pam.d/chage
+++ /dev/null
@@ -1,4 +0,0 @@
-#%PAM-1.0
-auth		sufficient	pam_rootok.so
-account		required	pam_permit.so
-password	include		system-auth
diff --git a/man/chage.1.xml b/man/chage.1.xml
index 060409b83..b58011185 100644
--- a/man/chage.1.xml
+++ b/man/chage.1.xml
@@ -208,8 +208,7 @@
 	    found under the directory <replaceable>PREFIX_DIR</replaceable>.
 	    This option does not chroot and is intended for preparing a cross-compilation
 	    target.  Some limitations: NIS and LDAP users/groups are
-	    not verified.  PAM authentication is using the host files.
-	    No SELINUX support.
+	    not verified.  No SELINUX support.
 	  </para>
 	</listitem>
       </varlistentry>
diff --git a/src/Makefile.am b/src/Makefile.am
index d4e6f3ab7..698181509 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -99,7 +99,7 @@ else
 LIBCRYPT_NOPAM = $(LIBCRYPT)
 endif
 
-chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
+chage_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
 newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)
diff --git a/src/chage.c b/src/chage.c
index a7933e0d8..aed8e5b6f 100644
--- a/src/chage.c
+++ b/src/chage.c
@@ -19,11 +19,6 @@
 #include <stdlib.h>
 #include <sys/types.h>
 #include <time.h>
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 #include <pwd.h>
 
 #include "atoi/a2i/a2s.h"
@@ -474,23 +469,10 @@ static void check_flags (int argc, int opt_index)
  *	(we will later make sure that the user is only listing her aging
  *	information)
  *
- *	With PAM support, the setuid bit can be set on chage to allow
- *	non-root users to groups.
- *	Without PAM support, only users who can write in the group databases
- *	can add groups.
- *
  *	It will not return if the user is not allowed.
  */
 static void check_perms (void)
 {
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	struct passwd *pampw;
-	int retval;
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-
 	/*
 	 * An unprivileged user can ask for their own aging information, but
 	 * only root can change it, or list another user's aging
@@ -501,39 +483,6 @@ static void check_perms (void)
 		fprintf (stderr, _("%s: Permission denied.\n"), Prog);
 		fail_exit (E_NOPERM);
 	}
-
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-	if (NULL == pampw) {
-		fprintf (stderr,
-		         _("%s: Cannot determine your user name.\n"),
-		         Prog);
-		exit (E_NOPERM);
-	}
-
-	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		fail_exit (E_NOPERM);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 }
 
 /*