Refuse to unlock an account when it would result in a passwordless

account.  Based on Openwall's patch shadow-4.0.4.1-owl-usermod-unlock.diff

ChangeLog

@@ -1,3 +1,9 @@
+2007-11-17  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/usermod.c: Refuse to unlock an account when it would
+	result in a passwordless account.  Based on Openwall's patch
+	shadow-4.0.4.1-owl-usermod-unlock.diff.
+
 2007-11-17  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/userdel.c (path_prefix): Make sure that the prefix is the

NEWS

@@ -41,6 +41,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2					UNRELEASED
   were always missing.
 - su: Avoid terminating the PAM library in the forked child. This is done
   later in the parent after closing the PAM session.
+- usermod: Refuse to unlock an account when it would result in a
+  passwordless account.
 
 *** documentation:
 - Generate the translated manpages from PO at build time.

src/usermod.c

@@ -326,6 +326,14 @@ static char *new_pw_passwd (char *pw_pass, const char *pw_name)
 	} else if (Uflg && pw_pass[0] == '!') {
 		char *s;
 
+		if (pw_pass[1] == '\0') {
+			fprintf (stderr,
+				 _("%s: unlocking the user would result in a passwordless account.\n"
+				   "You should set a password with usermod -p to unlock this user account.\n"),
+				 Prog);
+			return pw_pass;
+		}
+
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating password",
 			      user_newname, user_newid, 0);