Refuse to unlock an account when it would result in a passwordless

account.  Based on Openwall's patch shadow-4.0.4.1-owl-usermod-unlock.diff
This commit is contained in:
nekral-guest 2007-11-17 22:02:22 +00:00
parent 5e438aa46c
commit 85463e754d
3 changed files with 16 additions and 0 deletions

View File

@ -1,3 +1,9 @@
2007-11-17 Nicolas François <nicolas.francois@centraliens.net>
* NEWS, src/usermod.c: Refuse to unlock an account when it would
result in a passwordless account. Based on Openwall's patch
shadow-4.0.4.1-owl-usermod-unlock.diff.
2007-11-17 Nicolas François <nicolas.francois@centraliens.net> 2007-11-17 Nicolas François <nicolas.francois@centraliens.net>
* src/userdel.c (path_prefix): Make sure that the prefix is the * src/userdel.c (path_prefix): Make sure that the prefix is the

2
NEWS
View File

@ -41,6 +41,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2 UNRELEASED
were always missing. were always missing.
- su: Avoid terminating the PAM library in the forked child. This is done - su: Avoid terminating the PAM library in the forked child. This is done
later in the parent after closing the PAM session. later in the parent after closing the PAM session.
- usermod: Refuse to unlock an account when it would result in a
passwordless account.
*** documentation: *** documentation:
- Generate the translated manpages from PO at build time. - Generate the translated manpages from PO at build time.

View File

@ -326,6 +326,14 @@ static char *new_pw_passwd (char *pw_pass, const char *pw_name)
} else if (Uflg && pw_pass[0] == '!') { } else if (Uflg && pw_pass[0] == '!') {
char *s; char *s;
if (pw_pass[1] == '\0') {
fprintf (stderr,
_("%s: unlocking the user would result in a passwordless account.\n"
"You should set a password with usermod -p to unlock this user account.\n"),
Prog);
return pw_pass;
}
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating password", audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating password",
user_newname, user_newid, 0); user_newname, user_newid, 0);