[PATCH & RFC] avoid libbb/correct_password.c to disclose info about system

Denis Vlasenko vda.linux at googlemail.com
Tue Jul 3 10:14:35 UTC 2007


On Tuesday 03 July 2007 08:41, Tito wrote:
> On Tuesday 03 July 2007 08:11:42 Denis Vlasenko wrote:
> > On Tuesday 03 July 2007 00:08, Tito wrote:
> > > Hi,
> > > I noticed that our password checking routine in correct_password.c
> > > behaves differently than real login app.
> > > In case that support for shadow passwords is enabled and
> > > /etc/shadow is missing it complains with an error message:
> > > 
> > > "no valid shadow password, checking ordinary one"
> > >
> > > thus disclosing information about the state of the system.
> > > I think it should instead fake an incorrect login.
> > > A patch is attached, comments and critics are welcome.
> > 
> > With this patch, you *require* admin to keep passwords in /etc/shadow.
> Why?
> 
> +       if (LONE_CHAR(pw->pw_passwd, 'x') || LONE_CHAR(pw->pw_passwd, '*'))
> +               correct = (getspnam_r(pw->pw_name, &spw, buffer, sizeof(buffer), &result)) ? "aa" : spw.sp_pwdp;
> 
> It's the admin himself that is saying through 'x' or '*' that he wants to use shadow passwords.
> If you put a real password in pw->pw_passwd this code is not executed.

Oops... my brainfart, you're right. Will fix in svn in a few minutes.
--
vda



More information about the busybox mailing list