Source of passwd error messages

I am testing if the passwd command could run if the setuid bit is disabled. I disabled the setuid by running the following command:

chmod 0554 /bin/passwd

After doing so, I tested if the passwd command would still be able to function. But as expected, it didn’t. Instead, it gave me the following errors:

passwd: Authentication token manipulation error

passwd: password unchanged

I tried to look for these error messages in the source code, but I couldn’t find them in this file. Can anyone please direct me to find the source file that contains the error messages shown above?

Asked By: Tomas

||
Source

The first error message is from the PAM library, see e.g. https://github.com/linux-pam/linux-pam/blob/master/libpam/pam_strerror.c

const char *pam_strerror(pam_handle_t *pamh UNUSED, int errnum)
{
    switch (errnum) {
/* ... */
    case PAM_AUTHTOK_ERR:
      return _("Authentication token manipulation error");
/* ... */
    }

    return _("Unknown PAM error");
}

A search in the linked Git repository finds the second error message in
https://github.com/shadow-maint/shadow/blob/master/libmisc/pam_pass.c

This is the function that prints both error messages:

void do_pam_passwd (const char *user, bool silent, bool change_expired)
{
    pam_handle_t *pamh = NULL;
    int flags = 0, ret;
    FILE *shadow_logfd = log_get_logfd();

    if (silent)
        flags |= PAM_SILENT;
    if (change_expired)
        flags |= PAM_CHANGE_EXPIRED_AUTHTOK;

    ret = pam_start ("passwd", user, &conv, &pamh);
    if (ret != PAM_SUCCESS) {
        fprintf (shadow_logfd,
             _("passwd: pam_start() failed, error %dn"), ret);
        exit (10);  /* XXX */
    }

    ret = pam_chauthtok (pamh, flags);
    if (ret != PAM_SUCCESS) {
        fprintf (shadow_logfd, _("passwd: %sn"), pam_strerror (pamh, ret));
        fputs (_("passwd: password unchangedn"), shadow_logfd);
        pam_end (pamh, ret);
        exit (10);  /* XXX */
    }

    fputs (_("passwd: password updated successfullyn"), shadow_logfd);
    (void) pam_end (pamh, PAM_SUCCESS);
}
Answered By: Bodo

Firstly, I hope you’re doing that for educational experience, and not because you think it will improve security or something (it would make it much worse!)

That being said, few pointers to handling that and similar situation in the future generically:

  • strace -ff -efile passwd will show you what files passwd(1) is trying to access, including which libraries and extra executables are being used etc.
  • then you can find source files for that commands and libraries (via dpkg -S /path/to/file and apt-get source packagename on Debian derivatives like Ubuntu)
  • then you can grep(1) those sources for those messages that the command spewed out.
Answered By: Matija Nalis
Categories: Answers Tags: , , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.