Comment 25 for bug 307019

After asking on the D-Bus list, Thiago Macieira told me that it was safe to send the plain text password over the bus, as long as we're on the same host (which is always the case AFAIK), and that we're using the system bus. So I think I'll make that change in the next cycle, so that we use PAM or passwd (any reason to prefer one over the other?).

This won't solve the present bug actually, but I guess I'll also special-case the current user so that we ask for the old password, and run passwd unprivileged then. But that leaves a breach when you change a user's password as administrator. We could still send the old password to the backends (if provided), which would use su to run passwd as the user. But that may be over-engineered... Not sure what would be the cleanest solution in the long term.