From 85463e754d726a92d68f64f53a90077adeb5f470 Mon Sep 17 00:00:00 2001 From: nekral-guest Date: Sat, 17 Nov 2007 22:02:22 +0000 Subject: [PATCH] Refuse to unlock an account when it would result in a passwordless account. Based on Openwall's patch shadow-4.0.4.1-owl-usermod-unlock.diff --- ChangeLog | 6 ++++++ NEWS | 2 ++ src/usermod.c | 8 ++++++++ 3 files changed, 16 insertions(+) diff --git a/ChangeLog b/ChangeLog index a884f4dd..387aa271 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2007-11-17 Nicolas François + + * NEWS, src/usermod.c: Refuse to unlock an account when it would + result in a passwordless account. Based on Openwall's patch + shadow-4.0.4.1-owl-usermod-unlock.diff. + 2007-11-17 Nicolas François * src/userdel.c (path_prefix): Make sure that the prefix is the diff --git a/NEWS b/NEWS index fc049f36..91faa6fc 100644 --- a/NEWS +++ b/NEWS @@ -41,6 +41,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2 UNRELEASED were always missing. - su: Avoid terminating the PAM library in the forked child. This is done later in the parent after closing the PAM session. +- usermod: Refuse to unlock an account when it would result in a + passwordless account. *** documentation: - Generate the translated manpages from PO at build time. diff --git a/src/usermod.c b/src/usermod.c index 885dadae..074b3e37 100644 --- a/src/usermod.c +++ b/src/usermod.c @@ -326,6 +326,14 @@ static char *new_pw_passwd (char *pw_pass, const char *pw_name) } else if (Uflg && pw_pass[0] == '!') { char *s; + if (pw_pass[1] == '\0') { + fprintf (stderr, + _("%s: unlocking the user would result in a passwordless account.\n" + "You should set a password with usermod -p to unlock this user account.\n"), + Prog); + return pw_pass; + } + #ifdef WITH_AUDIT audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating password", user_newname, user_newid, 0);