chage: Drop PAM support

The PAM support was only enabled with configure option
--enable-account-tools-setuid. The other account tools would use PAM
then to verify that the user is granted elevated permissions for
actions which normally only root can do.

In chage, however, any non-root user who does not specify the -l
command line option is denied access in check_perms. The check for
being root or not is done with getuid, so non-root users cannot
change user account's aging information in any possible way since
more than 18 years by now.

It's safe to say that nobody misses this non-existing feature. Biggest
benefit is to get chage out of the ACCT_TOOLS_SETUID group of tools.

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

etc/pam.d/Makefile.am

@@ -11,7 +11,6 @@ pamd_files = \
 	passwd
 
 pamd_acct_tools_files = \
-	chage \
 	chgpasswd \
 	groupadd \
 	groupdel \

man/chage.1.xml

@@ -208,8 +208,7 @@
 	    found under the directory <replaceable>PREFIX_DIR</replaceable>.
 	    This option does not chroot and is intended for preparing a cross-compilation
 	    target.  Some limitations: NIS and LDAP users/groups are
-	    not verified.  PAM authentication is using the host files.
-	    No SELINUX support.
+	    not verified.  No SELINUX support.
 	  </para>
 	</listitem>
       </varlistentry>

src/Makefile.am

@@ -99,7 +99,7 @@ else
 LIBCRYPT_NOPAM = $(LIBCRYPT)
 endif
 
-chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
+chage_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBECONF) -ldl
 newuidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 newgidmap_LDADD    = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCAP) $(LIBECONF) -ldl
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) $(LIBECONF)

src/chage.c

@@ -19,11 +19,6 @@
 #include <stdlib.h>
 #include <sys/types.h>
 #include <time.h>
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-#include "pam_defs.h"
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 #include <pwd.h>
 
 #include "atoi/a2i/a2s.h"
@@ -474,23 +469,10 @@ static void check_flags (int argc, int opt_index)
  *	(we will later make sure that the user is only listing her aging
  *	information)
  *
- *	With PAM support, the setuid bit can be set on chage to allow
- *	non-root users to groups.
- *	Without PAM support, only users who can write in the group databases
- *	can add groups.
- *
  *	It will not return if the user is not allowed.
  */
 static void check_perms (void)
 {
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pam_handle_t *pamh = NULL;
-	struct passwd *pampw;
-	int retval;
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
-
 	/*
 	 * An unprivileged user can ask for their own aging information, but
 	 * only root can change it, or list another user's aging
@@ -501,39 +483,6 @@ static void check_perms (void)
 		fprintf (stderr, _("%s: Permission denied.\n"), Prog);
 		fail_exit (E_NOPERM);
 	}
-
-#ifdef ACCT_TOOLS_SETUID
-#ifdef USE_PAM
-	pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
-	if (NULL == pampw) {
-		fprintf (stderr,
-		         _("%s: Cannot determine your user name.\n"),
-		         Prog);
-		exit (E_NOPERM);
-	}
-
-	retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_authenticate (pamh, 0);
-	}
-
-	if (PAM_SUCCESS == retval) {
-		retval = pam_acct_mgmt (pamh, 0);
-	}
-
-	if (PAM_SUCCESS != retval) {
-		fprintf (stderr, _("%s: PAM: %s\n"),
-		         Prog, pam_strerror (pamh, retval));
-		SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
-		if (NULL != pamh) {
-			(void) pam_end (pamh, retval);
-		}
-		fail_exit (E_NOPERM);
-	}
-	(void) pam_end (pamh, retval);
-#endif				/* USE_PAM */
-#endif				/* ACCT_TOOLS_SETUID */
 }
 
 /*