1 files changed, 9 insertions, 6 deletions

diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 5c1d9a79a6..6bc8626d81 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -674,6 +674,8 @@ BOOL check_lanman_password(char *user, uchar * pass1,
  Code to change the lanman hashed password.
  It nulls out the NT hashed password as it will
  no longer be valid.
+ NOTE this function is designed to be called as root. Check the old password
+ is correct before calling. JRA.
 ************************************************************/
 
 BOOL change_lanman_password(SAM_ACCOUNT *sampass, uchar *pass2)
@@ -730,9 +732,7 @@ BOOL change_lanman_password(SAM_ACCOUNT *sampass, uchar *pass2)
 	}
  
 	/* Now flush the sam_passwd struct to persistent storage */
-	become_root();
 	ret = pdb_update_sam_account (sampass);
-	unbecome_root();
 
 	return ret;
 }
@@ -740,6 +740,7 @@ BOOL change_lanman_password(SAM_ACCOUNT *sampass, uchar *pass2)
 /***********************************************************
  Code to check and change the OEM hashed password.
 ************************************************************/
+
 NTSTATUS pass_oem_change(char *user,
 			 uchar * lmdata, uchar * lmhash,
 			 uchar * ntdata, uchar * nthash)
@@ -747,8 +748,7 @@ NTSTATUS pass_oem_change(char *user,
 	fstring new_passwd;
 	const char *unix_user;
 	SAM_ACCOUNT *sampass = NULL;
-	NTSTATUS nt_status 
-		= check_oem_password(user, lmdata, lmhash, ntdata, nthash,
+	NTSTATUS nt_status = check_oem_password(user, lmdata, lmhash, ntdata, nthash,
 				     &sampass, new_passwd, sizeof(new_passwd));
 
 	if (!NT_STATUS_IS_OK(nt_status))
@@ -765,7 +765,10 @@ NTSTATUS pass_oem_change(char *user,
 
 	unix_user = pdb_get_username(sampass);
 
+	/* We've already checked the old password here.... */
+	become_root();
 	nt_status = change_oem_password(sampass, NULL, new_passwd);
+	unbecome_root();
 
 	memset(new_passwd, 0, sizeof(new_passwd));
 
@@ -942,6 +945,8 @@ static NTSTATUS check_oem_password(const char *user,
 /***********************************************************
  Code to change the oem password. Changes both the lanman
  and NT hashes.  Old_passwd is almost always NULL.
+ NOTE this function is designed to be called as root. Check the old password
+ is correct before calling. JRA.
 ************************************************************/
 
 NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passwd)
@@ -997,9 +1002,7 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw
 	}
 
 	/* Now write it into the file. */
-	become_root();
 	ret = pdb_update_sam_account (hnd);
-	unbecome_root();
 
 	if (!ret) {
 		return NT_STATUS_ACCESS_DENIED;