From b865e14f255e3eb3e3fe2c86dde5888a4caa6c1c Mon Sep 17 00:00:00 2001 From: Haelwenn Monnier Date: Mon, 29 Mar 2021 05:16:03 +0200 Subject: [PATCH] login & su: Treat an empty passwd field as invalid (#315) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * login & su: Treat an empty passwd field as invalid Otherwise it's treated like the “require no password” clause while it probably should be treated like a normal su that can't validate anyway. A similar change should be done for USE_PAM. * su & login: Introduce PREVENT_NO_AUTH --- etc/login.defs | 9 +++++++++ lib/getdef.c | 1 + src/login.c | 13 +++++++++++++ src/su.c | 15 +++++++++++++++ 4 files changed, 38 insertions(+) diff --git a/etc/login.defs b/etc/login.defs index fe206812..dbeffa64 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -458,3 +458,12 @@ USERGROUPS_ENAB yes # primary group. # #GRANT_AUX_GROUP_SUBIDS yes + +# +# Prevents an empty password field to be interpreted as "no authentication +# required". +# Set to "yes" to prevent for all accounts +# Set to "superuser" to prevent for UID 0 / root (default) +# Set to "no" to not prevent for any account (dangerous, historical default) + +PREVENT_NO_AUTH superuser diff --git a/lib/getdef.c b/lib/getdef.c index 909ee45f..eaf6b48f 100644 --- a/lib/getdef.c +++ b/lib/getdef.c @@ -164,6 +164,7 @@ static struct itemdef def_table[] = { #endif {"FORCE_SHADOW", NULL}, {"GRANT_AUX_GROUP_SUBIDS", NULL}, + {"PREVENT_NO_AUTH", NULL}, {NULL, NULL} }; diff --git a/src/login.c b/src/login.c index 00508cd5..be84a884 100644 --- a/src/login.c +++ b/src/login.c @@ -978,6 +978,19 @@ int main (int argc, char **argv) || ('*' == user_passwd[0])) { failed = true; } + + if (strcmp (user_passwd, "") == 0) { + char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH"); + if(prevent_no_auth == NULL) { + prevent_no_auth = "superuser"; + } + if(strcmp(prevent_no_auth, "yes") == 0) { + failed = true; + } else if( (pwd->pw_uid == 0) + && (strcmp(prevent_no_auth, "superuser") == 0)) { + failed = true; + } + } } if (strcmp (user_passwd, SHADOW_PASSWD_STRING) == 0) { diff --git a/src/su.c b/src/su.c index cea3f155..0f3cd793 100644 --- a/src/su.c +++ b/src/su.c @@ -505,6 +505,21 @@ static void check_perms_nopam (const struct passwd *pw) return; } + if (strcmp (pw->pw_passwd, "") == 0) { + char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH"); + if(prevent_no_auth == NULL) { + prevent_no_auth = "superuser"; + } + if(strcmp(prevent_no_auth, "yes") == 0) { + fprintf(stderr, _("Password field is empty, this is forbidden for all accounts.\n")); + exit(1); + } else if( (pw->pw_uid == 0) + && (strcmp(prevent_no_auth, "superuser") == 0)) { + fprintf(stderr, _("Password field is empty, this is forbidden for super-user.\n")); + exit(1); + } + } + /* * BSD systems only allow "wheel" to SU to root. USG systems don't, * so we make this a configurable option.