login & su: Treat an empty passwd field as invalid (#315)

* login & su: Treat an empty passwd field as invalid Otherwise it's treated like the “require no password” clause while it probably should be treated like a normal su that can't validate anyway. A similar change should be done for USE_PAM. * su & login: Introduce PREVENT_NO_AUTH
2021-03-29 05:16:03 +02:00 · 2021-03-29 05:16:03 +02:00 · b865e14f25
parent 697901a328
commit b865e14f25
4 changed files with 38 additions and 0 deletions
--- a/etc/login.defs
+++ b/etc/login.defs
@ -458,3 +458,12 @@ USERGROUPS_ENAB yes
 # primary group.
 #
 #GRANT_AUX_GROUP_SUBIDS yes
+
+#
+# Prevents an empty password field to be interpreted as "no authentication
+# required".
+# Set to "yes" to prevent for all accounts
+# Set to "superuser" to prevent for UID 0 / root (default)
+# Set to "no" to not prevent for any account (dangerous, historical default)
+
+PREVENT_NO_AUTH superuser
--- a/lib/getdef.c
+++ b/lib/getdef.c
@ -164,6 +164,7 @@ static struct itemdef def_table[] = {
 #endif
 	{"FORCE_SHADOW", NULL},
 	{"GRANT_AUX_GROUP_SUBIDS", NULL},
+	{"PREVENT_NO_AUTH", NULL},
 	{NULL, NULL}
 };

--- a/src/login.c
+++ b/src/login.c
@ -978,6 +978,19 @@ int main (int argc, char **argv)
 			    || ('*' == user_passwd[0])) {
 				failed = true;
 			}
+
+			if (strcmp (user_passwd, "") == 0) {
+				char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");
+				if(prevent_no_auth == NULL) {
+					prevent_no_auth = "superuser";
+				}
+				if(strcmp(prevent_no_auth, "yes") == 0) {
+					failed = true;
+				} else if( (pwd->pw_uid == 0)
+					&& (strcmp(prevent_no_auth, "superuser") == 0)) {
+					failed = true;
+				}
+			}
 		}

 		if (strcmp (user_passwd, SHADOW_PASSWD_STRING) == 0) {
--- a/src/su.c
+++ b/src/su.c
@ -505,6 +505,21 @@ static void check_perms_nopam (const struct passwd *pw)
 		return;
 	}

+	if (strcmp (pw->pw_passwd, "") == 0) {
+		char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");
+		if(prevent_no_auth == NULL) {
+			prevent_no_auth = "superuser";
+		}
+		if(strcmp(prevent_no_auth, "yes") == 0) {
+			fprintf(stderr, _("Password field is empty, this is forbidden for all accounts.\n"));
+			exit(1);
+		} else if( (pw->pw_uid == 0)
+				&& (strcmp(prevent_no_auth, "superuser") == 0)) {
+			fprintf(stderr, _("Password field is empty, this is forbidden for super-user.\n"));
+			exit(1);
+		}
+	}
+
 	/*
 	 * BSD systems only allow "wheel" to SU to root. USG systems don't,
 	 * so we make this a configurable option.