meta-google: Fix common-password to allow password change
Commit 951f1aabea4c8683cda113e743b68ad2dfd57fa8 removed the entry for
pam_cracklib.so from common-password. This resulted in the next entry in
the file to become the first module. However, as it still contained the
use_authtok flag, this forced the module to not prompt the user for a
new password and instead attempt to use the one provided by the
previously stacked password module. Since there is no previous stacked
password module, the process just fails.
This change adds code to remove the use_authtok entry from the first
password module to fix this issue.
Tested: Check that passwords can be changed again via "passwd".
Signed-off-by: Oskar Senft <osk@google.com>
Change-Id: Id88302732fe9d4c6e6c8cbb0004271d6ea2ac340
diff --git a/meta-google/recipes-extended/pam/libpam_%.bbappend b/meta-google/recipes-extended/pam/libpam_%.bbappend
index 287dab7..d57b0ea 100644
--- a/meta-google/recipes-extended/pam/libpam_%.bbappend
+++ b/meta-google/recipes-extended/pam/libpam_%.bbappend
@@ -12,4 +12,17 @@
do_install:append:gbmc() {
# Remove reference to cracklib library from PAM config file
sed -i '/pam_cracklib.so/d' ${D}${sysconfdir}/pam.d/common-password
+
+ # Remove the first occurrence of "use_authtok" in the first line starting
+ # with "password". This makes sure that if pam_cracklib.so was the first
+ # entry, we didn't invalidate the next entry in the stack. If the first
+ # entry has the "use_authtok" set, this "forces the module to not prompt
+ # the user for a new password but use the one provided by the previously
+ # stacked password module". Since there is no "previous" entry, it never
+ # asks for a password which causes the process to fail.
+ awk '/^password/ && !f{sub(/ use_authtok/, ""); f=1} 1' \
+ ${D}${sysconfdir}/pam.d/common-password \
+ > ${D}${sysconfdir}/pam.d/common-password.new
+ mv ${D}${sysconfdir}/pam.d/common-password.new \
+ ${D}${sysconfdir}/pam.d/common-password
}