pam: Allow only root to change shells and user info.

Since changing user info and shells for ldap users is not supported by
chfn and chsh anyway, and we have no real users that are not in ldap,
limiting this to just root makes sense.

diff --git a/etc/pam.d/chfn b/etc/pam.d/chfn
index 10fcf07b12cc75d9f23dad40a434f9149ee76ec1..efbc34b954757ea2d8c7daa4a6f8d80b34bdaa10 100644 (file)
--- a/etc/pam.d/chfn
+++ b/etc/pam.d/chfn
@@ -2,15 +2,5 @@
 # The PAM configuration file for the Shadow `chfn' service
 #
 
-# This allows root to change user infomation without being
-# prompted for a password
-auth           sufficient      pam_rootok.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session
-
-
+# This allows only root to change user infomation at all.
+auth           required        pam_rootok.so

diff --git a/etc/pam.d/chsh b/etc/pam.d/chsh
index 7eb604d722d38a00bc6b487f5049a3d00dd73a1c..2458371d01061002f94647cf223b5b87e3426da9 100644 (file)
--- a/etc/pam.d/chsh
+++ b/etc/pam.d/chsh
@@ -2,19 +2,5 @@
 # The PAM configuration file for the Shadow `chsh' service
 #
 
-# This will not allow a user to change their shell unless
-# their current one is listed in /etc/shells. This keeps
-# accounts with special shells from changing them.
-auth       required   pam_shells.so
-
-# This allows root to change user shell without being
-# prompted for a password
-auth           sufficient      pam_rootok.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session
-
+# This allows only root to change user shells at all.
+auth           required        pam_rootok.so