* src/pwck.c: Warn if an user has an entry in passwd and shadow,

and the password field in passwd is not 'x'. * src/grpck.c: Warn if a group has an entry in group and gshadow, and the password field in group is not 'x'.
2009-05-09 21:20:54 +00:00 · 2009-05-09 21:20:54 +00:00 · a01499179f
commit a01499179f
parent 6ba7fd7d13
4 changed files with 31 additions and 0 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2009-05-09  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* src/pwck.c: Warn if an user has an entry in passwd and shadow,
+	and the password field in passwd is not 'x'.
+	* src/grpck.c: Warn if a group has an entry in group and gshadow,
+	and the password field in group is not 'x'.
+
 2009-05-09  Nicolas François  <nicolas.francois@centraliens.net>

 	* man/login.defs.d/ENCRYPT_METHOD.xml,
--- a/6
+++ b/6
@ -14,6 +14,9 @@ shadow-4.1.3.1 -> shadow-4.1.3.2					UNRELEASED
    policy in a central place. The -c/--crypt-method, -e/--encrypted,
    -m/--md5 and -s/--sha-rounds options are no more supported on PAM
    enabled systems.
+- grpck
+  * Warn if a group has an entry in group and gshadow, and the password
+    field in group is not 'x'.
 - login
  * Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
    lead to DOS attacks.
@ -25,6 +28,9 @@ shadow-4.1.3.1 -> shadow-4.1.3.2					UNRELEASED
  * Change the passwords using PAM. This permits to define the password
    policy in a central place. The -c/--crypt-method and -s/--sha-rounds
    options are no more supported on PAM enabled systems.
+- pwck
+  * Warn if an user has an entry in passwd and shadow, and the password
+    field in passwd is not 'x'.

 *** translation
 - Updated Czech translation
--- a/src/grpck.c
+++ b/src/grpck.c
@ -627,6 +627,15 @@ static void check_grp_file (int *errors, bool *changed)
 				compare_members_lists (grp->gr_name,
 				                       grp->gr_mem, sgr->sg_mem,
 				                       grp_file, sgr_file);
+
+				/* The group entry has a gshadow counterpart.
+				 * Make sure no passwords are in group.
+				 */
+				if (strcmp (grp->gr_passwd, SHADOW_PASSWD_STRING) != 0) {
+					printf (_("group %s has an entry in %s, but its password field in %s is not set to 'x'\n"),
+					        grp->gr_name, sgr_file, grp_file);
+					*errors += 1;
+				}
 			}
 		}
 #endif
--- a/src/pwck.c
+++ b/src/pwck.c
@ -497,6 +497,15 @@ static void check_pw_file (int *errors, bool *changed)
 						exit (E_CANTUPDATE);
 					}
 				}
+			} else {
+				/* The passwd entry has a shadow counterpart.
+				 * Make sure no passwords are in passwd.
+				 */
+				if (strcmp (pwd->pw_passwd, SHADOW_PASSWD_STRING) != 0) {
+					printf (_("user %s has an entry in %s, but its password field in %s is not set to 'x'\n"),
+					        pwd->pw_name, spw_file, pwd_file);
+					*errors += 1;
+				}
 			}
 		}
 	}