From be9653e724e667b5fc9cf18678b2fe99e9b2b085 Mon Sep 17 00:00:00 2001
From: Matthijs Kooijman <matthijs@stdin.nl>
Date: Tue, 30 Dec 2008 11:36:39 +0100
Subject: [PATCH] pam: Allow only root to change shells and user info.

Since changing user info and shells for ldap users is not supported by
chfn and chsh anyway, and we have no real users that are not in ldap,
limiting this to just root makes sense.
---
 etc/pam.d/chfn | 14 ++------------
 etc/pam.d/chsh | 18 ++----------------
 2 files changed, 4 insertions(+), 28 deletions(-)

diff --git a/etc/pam.d/chfn b/etc/pam.d/chfn
index 10fcf07..efbc34b 100644
--- a/etc/pam.d/chfn
+++ b/etc/pam.d/chfn
@@ -2,15 +2,5 @@
 # The PAM configuration file for the Shadow `chfn' service
 #
 
-# This allows root to change user infomation without being
-# prompted for a password
-auth		sufficient	pam_rootok.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session
-
-
+# This allows only root to change user infomation at all.
+auth		required	pam_rootok.so
diff --git a/etc/pam.d/chsh b/etc/pam.d/chsh
index 7eb604d..2458371 100644
--- a/etc/pam.d/chsh
+++ b/etc/pam.d/chsh
@@ -2,19 +2,5 @@
 # The PAM configuration file for the Shadow `chsh' service
 #
 
-# This will not allow a user to change their shell unless
-# their current one is listed in /etc/shells. This keeps
-# accounts with special shells from changing them.
-auth       required   pam_shells.so
-
-# This allows root to change user shell without being
-# prompted for a password
-auth		sufficient	pam_rootok.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session
-
+# This allows only root to change user shells at all.
+auth		required	pam_rootok.so
-- 
2.30.2