[PATCH alternative] sulogin: fix FEATURE_SHADOWPASSWDS sematics

Tito farmatito at tiscali.it
Sun Nov 17 08:31:59 UTC 2013


On Saturday 16 November 2013 22:55:16 Harald Becker wrote:
> Hi Tito !
> 
> On 16-11-2013 22:03 Tito <farmatito at tiscali.it> wrote:
> >usually passwd sets password field to x in /etc/passwd if
> >password field in /etc/shadow is used so in a correctly managed
> >system there should not be empty password fields at all.
> >
> >I wonder at this point if it could be acceptable for sulogin to
> >rather act the same way as libbb's correct_passwd function does
> >in login and su to check in /etc/passwd if the passwd field is
> >set to 'x' and use /etc/shadow only in that case. 
> 
> You are correct, but there is another case which is required to
> be checked. For some reasons there are programs setting password
> in /etc/passwd to a single exclamation sign (!), which if used
> as first character of password signals disabled account.
> 
> It would be best to check password to be either empty or an entry
> of at least 3 (may be more?) characters, with short entries
> meaning not to accept any password entry (except on empty entry,
> which signals no password).
Hi,

if ((pwd->pw_passwd[0] == 'x' || pwd->pw_passwd[0] == '*') && !pwd->pw_passwd[1]) 

we do it the other way but same result 
(not empty, just one char equal to 'x' or '*' then use shadowpass)
 

The escalmatio sign case is the one i pointed out and that has still to be implemented:

	"If the root account is locked (!), no password prompt is displayed
 	and sulogin behaves as if the correct password were entered."

	This feature is missing in busybox: is it worth to be implemented?

I think this is rather easy to implement once there is agreement on how
to resolve the main issue.

> --
> Harald
>

Ciao,
Tito


More information about the busybox mailing list