upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove a bogus null password check which assumed that a user with an empty

Browse source 
password must necessarily have an empty pwd->pw_passwd.  Also add a check
that prevents users from setting a blank password unless the nullok option
was specified.  Root is still allowed to give anyone a blank password.
This commit is contained in:
Dag-Erling Smørgrav 2003-04-24 12:26:25 +00:00
parent b418f48cba
commit be01d58da1
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
lib/libpam/modules/pam_unix/pam_unix.c
View file

@ -337,8 +337,10 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
PAM_LOG("Got old password");
/* always encrypt first */
encrypted = crypt(old_pass, pwd->pw_passwd);
if ((old_pass[0] == '\0' && pwd->pw_passwd[0] != '\0') ||
strcmp(encrypted, pwd->pw_passwd) != 0)
if (old_pass[0] == '\0' &&
!pam_test_option(&options, PAM_OPT_NULLOK, NULL))
return (PAM_PERM_DENIED);
if (strcmp(encrypted, pwd->pw_passwd) != 0)
return (PAM_PERM_DENIED);
}
else if (flags & PAM_UPDATE_AUTHTOK) {
@ -364,6 +366,10 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
return (retval);
}
if (getuid() != 0 && new_pass[0] == '\0' &&
!pam_test_option(&options, PAM_OPT_NULLOK, NULL))
return (PAM_PERM_DENIED);
if ((old_pwd = pw_dup(pwd)) == NULL)
return (PAM_BUF_ERR);