emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity
2,941 Commits 1 Branch 1 Tag
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Alejandro Colomar 5c5dc75641 libmisc: agetpass(): Fix bug detecting truncation 
On 2/19/23 18:09, David Mudrich wrote:
> I am working on a RAM based Linux OS from source, and try to use
> latest versions of all software.  I found shadow needs libbsd's
> readpassphrase(3) as superior alternative to getpass(3).  While
> considering if I a) include libbsd, or include libbsd's code of
> readpassphrase(3) into shadow, found, that libbsd's readpassphrase(3)
> never returns \n or \r
> <https://cgit.freedesktop.org/libbsd/tree/src/readpassphrase.c>
> line 122, while agetpass() uses a check for \n in agetpass.c line 108.
> I assume it always fails.

Indeed, it always failed.  I made a mistake when writing agetpass(),
assuming that readpassphrase(3) would keep newlines.

>
> I propose a check of len == PASS_MAX - 1, with false positive error for
> exactly PASS_MAX - 1 long passwords.

Instead, I added an extra byte to the allocation to allow a maximum
password length of PASS_MAX (which is the maximum for getpass(3), which
we're replacing.

While doing that, I notice that my previous implementation also had
another bug (minor): The maximum password length was PASS_MAX - 1
instead of PASS_MAX.  That's also fixed in this commit.

Reported-by: David Mudrich <dmudrich@gmx.de>
Fixes: 155c9421b935 ("libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely")
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-20 12:16:01 +01:00
.builds
.github
run on github runner
2023-02-09 09:55:04 -06:00
contrib
Remove superfluous casts
2023-02-09 10:03:03 -06:00
doc
docs
etc
lib
Add stpecpy()
2023-02-16 11:29:33 +01:00
libmisc
libmisc: agetpass(): Fix bug detecting truncation
2023-02-20 12:16:01 +01:00
libsubid
Remove superfluous casts
2023-02-09 10:03:03 -06:00
man
Fix VPATH build
2023-02-13 10:01:17 +01:00
po
src
Fix grammar
2023-02-16 13:23:08 -06:00
tests
.gitignore
.travis.yml
acinclude.m4
AUTHORS.md
autogen.sh
ChangeLog
configure.ac
Add stpecpy()
2023-02-16 11:29:33 +01:00
COPYING
Makefile.am
NEWS
README
README.md
SECURITY.md
shadow.spec.in
TODO

README.md

shadow-utils

Introduction

The shadow-utils package includes the necessary programs for converting UNIX password files to the shadow password format, plus programs for managing user and group accounts. The pwconv command converts passwords to the shadow password format. The pwunconv command unconverts shadow passwords and generates a passwd file (a standard UNIX password file). The pwck command checks the integrity of password and shadow files. The lastlog command prints out the last login times for all users. The useradd, userdel, and usermod commands are used for managing user accounts. The groupadd, groupdel, and groupmod commands are used for managing group accounts.

Sites

Contacts

There are several ways to contact us:

Mailing archives

Authors and maintainers

Authors and maintainers are listed in AUTHORS.md.

Description
No description provided
Readme 20 MiB
Languages
Shell 57.1%
C 40.6%
M4 0.9%
Yacc 0.8%
Makefile 0.4%
Other 0.1%