[PATCH alternative] sulogin: fix FEATURE_SHADOWPASSWDS sematics

Denys Vlasenko vda.linux at googlemail.com
Wed Nov 20 13:16:54 UTC 2013


Add a new return value to ask_and_check_password() to signify this condition.

On Wed, Nov 20, 2013 at 2:05 PM, Tito <farmatito at tiscali.it> wrote:
> On Wednesday 20 November 2013 13:25:15 you wrote:
>> On Tue, Nov 19, 2013 at 1:58 PM, Tito <farmatito at tiscali.it> wrote:
>> >> Please try attached patch.
>> >>
>> > looks good for consolidation of the other loginutils but for sulogin
>> > it makes implementing the locked root account feature more difficult
>>
>> Why difficult?
>>
>> ...
>>         pwd = getpwuid(0);
>>         if (!pwd) {
>>                 goto auth_error;
>>         }
>> +       if (pwd->pw_passwd == "!") ...
>>         while (1) {
>>                 int r;
>>                 r = ask_and_check_password_extended(pwd, timeout,
>> ...
>>
>>
>> > and probably also detecting an invalid root account or corrupted passwd/shadow
>> > files  so that in the worst case you could be locked out of your system.
>>
>> Does standard sulogin do something like that?
>>
> Hi,
> Because at least in Debian when using shadow passwords
> we have 'x' in /etc/passwd and '!' in /etc/shadow:
>
> grep test /etc/passwd /etc/shadow
> /etc/passwd:test:x:1004:1005:,,,:/home/test:/bin/bash
> /etc/shadow:test:!$6$5Gts7ZAs$ANBEqeEqu5fdpuCsGR042brEFZVBLL/ML1CQC2v0VyyamAwsFxTbQrIVwXNx63L/Z22MNCadbKOm8IF5CC.f6.:16029:0:99999:7:::
>
> so we need to check for '!' after having checked /etc/shadow.
> Samething for an invalid root account with entry in /etc/passwd
> and missing entry in /etc/shadow.
>
>
> Ciao,
> Tito
>
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox


More information about the busybox mailing list