On 2021/11/08 23:37, Lewis ingraham wrote: > Hello thanks for the quick response! In what way do you think the code would > have to be > changed? Can this be solved via a homemade patch or does it have to be an > upstream patch?
It could be patched locally. There are two possible ways to patch it. One would be a small change to use getpwuid_shadow instead of getpwuid, but this means installing it setgid _shadow i.e. giving it access to the entire crypted password database. This way it will only be able to handle local passwords, not login_ldap / login_oath / login_fingerprint / etc. The other way is preferable but harder to do. Use bsd-auth aka "BSD Authentication", which only requires setgid auth which has less access to the system (specifically it doesn't have direct access to the password database, only to a program which can test a supplied password). Also this could support other auth methods. This is described in the auth_open(3) manual. This would be preferable but harder.
