Refuse to unlock an account when it would result in a passwordless

account. Based on Openwall's patch shadow-4.0.4.1-owl-usermod-unlock.diff
2007-11-17 22:02:22 +00:00 · 2007-11-17 22:02:22 +00:00 · 85463e754d
commit 85463e754d
parent 5e438aa46c
3 changed files with 16 additions and 0 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2007-11-17  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/usermod.c: Refuse to unlock an account when it would
+	result in a passwordless account.  Based on Openwall's patch
+	shadow-4.0.4.1-owl-usermod-unlock.diff.
+
 2007-11-17  Nicolas François  <nicolas.francois@centraliens.net>

 	* src/userdel.c (path_prefix): Make sure that the prefix is the
--- a/2
+++ b/2
@ -41,6 +41,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2					UNRELEASED
  were always missing.
 - su: Avoid terminating the PAM library in the forked child. This is done
  later in the parent after closing the PAM session.
+- usermod: Refuse to unlock an account when it would result in a
+  passwordless account.

 *** documentation:
 - Generate the translated manpages from PO at build time.
--- a/src/usermod.c
+++ b/src/usermod.c
@ -326,6 +326,14 @@ static char *new_pw_passwd (char *pw_pass, const char *pw_name)
 	} else if (Uflg && pw_pass[0] == '!') {
 		char *s;

+		if (pw_pass[1] == '\0') {
+			fprintf (stderr,
+				 _("%s: unlocking the user would result in a passwordless account.\n"
+				   "You should set a password with usermod -p to unlock this user account.\n"),
+				 Prog);
+			return pw_pass;
+		}
+
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating password",
 			      user_newname, user_newid, 0);