Go to file
Alejandro Colomar 5c5dc75641 libmisc: agetpass(): Fix bug detecting truncation
On 2/19/23 18:09, David Mudrich wrote:
> I am working on a RAM based Linux OS from source, and try to use
> latest versions of all software.  I found shadow needs libbsd's
> readpassphrase(3) as superior alternative to getpass(3).  While
> considering if I a) include libbsd, or include libbsd's code of
> readpassphrase(3) into shadow, found, that libbsd's readpassphrase(3)
> never returns \n or \r
> <https://cgit.freedesktop.org/libbsd/tree/src/readpassphrase.c>
> line 122, while agetpass() uses a check for \n in agetpass.c line 108.
> I assume it always fails.

Indeed, it always failed.  I made a mistake when writing agetpass(),
assuming that readpassphrase(3) would keep newlines.

>
> I propose a check of len == PASS_MAX - 1, with false positive error for
> exactly PASS_MAX - 1 long passwords.

Instead, I added an extra byte to the allocation to allow a maximum
password length of PASS_MAX (which is the maximum for getpass(3), which
we're replacing.

While doing that, I notice that my previous implementation also had
another bug (minor): The maximum password length was PASS_MAX - 1
instead of PASS_MAX.  That's also fixed in this commit.

Reported-by: David Mudrich <dmudrich@gmx.de>
Fixes: 155c9421b9 ("libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely")
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-20 12:16:01 +01:00
.builds CI: add libbsd and pkg-config dependencies 2022-11-28 09:07:41 -06:00
.github run on github runner 2023-02-09 09:55:04 -06:00
contrib Remove superfluous casts 2023-02-09 10:03:03 -06:00
doc Remove traces of utmpx 2022-12-22 10:31:43 +01:00
docs fix spelling and unify whitespace 2021-08-18 18:06:02 +00:00
etc fix PAM service files --without-selinux 2022-03-04 08:51:20 -06:00
lib Add stpecpy() 2023-02-16 11:29:33 +01:00
libmisc libmisc: agetpass(): Fix bug detecting truncation 2023-02-20 12:16:01 +01:00
libsubid Remove superfluous casts 2023-02-09 10:03:03 -06:00
man Fix VPATH build 2023-02-13 10:01:17 +01:00
po Assume getutent(3) exists (remove dead code) 2023-02-08 17:21:34 +01:00
src Fix grammar 2023-02-16 13:23:08 -06:00
tests tests: print default timeout message to stderr 2023-02-09 09:55:04 -06:00
.gitignore Show libsubid api version in subid.h 2021-12-05 08:02:57 -06:00
.travis.yml subids: support nsswitch 2021-04-16 21:02:37 -05:00
acinclude.m4 configure: replace obsolete autoconf macros 2022-05-10 09:55:18 +02:00
AUTHORS.md AUTHORS: improve markdown output 2022-03-18 16:10:51 -05:00
autogen.sh undo accidental autogen.sh commit: enable-shared 2021-11-27 14:56:03 -06:00
ChangeLog fix typo 2023-01-12 12:10:57 +01:00
configure.ac Add stpecpy() 2023-02-16 11:29:33 +01:00
COPYING Update licensing info 2021-12-23 19:36:50 -06:00
Makefile.am fix spelling and unify whitespace 2021-08-18 18:06:02 +00:00
NEWS fix typo 2023-01-12 12:10:57 +01:00
README Add README as symlink to README.md 2021-12-19 14:09:08 -06:00
README.md README: update content and format 2021-11-22 15:31:54 +01:00
SECURITY.md Add Christian Brauner to SECURITY.md 2021-10-25 14:26:37 -05:00
shadow.spec.in
TODO fix spelling and unify whitespace 2021-08-18 18:06:02 +00:00

shadow-utils

Introduction

The shadow-utils package includes the necessary programs for converting UNIX password files to the shadow password format, plus programs for managing user and group accounts. The pwconv command converts passwords to the shadow password format. The pwunconv command unconverts shadow passwords and generates a passwd file (a standard UNIX password file). The pwck command checks the integrity of password and shadow files. The lastlog command prints out the last login times for all users. The useradd, userdel, and usermod commands are used for managing user accounts. The groupadd, groupdel, and groupmod commands are used for managing group accounts.

Sites

Contacts

There are several ways to contact us:

Mailing archives

Authors and maintainers

Authors and maintainers are listed in AUTHORS.md.