login & su: Treat an empty passwd field as invalid (#315)

* login & su: Treat an empty passwd field as invalid

Otherwise it's treated like the “require no password” clause while it probably
should be treated like a normal su that can't validate anyway.

A similar change should be done for USE_PAM.

* su & login: Introduce PREVENT_NO_AUTH

diff --git a/etc/login.defs b/etc/login.defs
index fe206812e8eeeee9d6555b0cee1de0f31f332404..dbeffa64913fdeeff4508ea4a21a1ea89ebfffc5 100644 (file)
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -458,3 +458,12 @@ USERGROUPS_ENAB yes
 # primary group.
 #
 #GRANT_AUX_GROUP_SUBIDS yes
+
+#
+# Prevents an empty password field to be interpreted as "no authentication
+# required".
+# Set to "yes" to prevent for all accounts
+# Set to "superuser" to prevent for UID 0 / root (default)
+# Set to "no" to not prevent for any account (dangerous, historical default)
+
+PREVENT_NO_AUTH superuser

diff --git a/lib/getdef.c b/lib/getdef.c
index 909ee45fd16491dfaa7a3e00f5f392e2b4de6c2c..eaf6b48f205b4418dfe5b584adf6c2be389e16ef 100644 (file)
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -164,6 +164,7 @@ static struct itemdef def_table[] = {
 #endif
        {"FORCE_SHADOW", NULL},
        {"GRANT_AUX_GROUP_SUBIDS", NULL},
+       {"PREVENT_NO_AUTH", NULL},
        {NULL, NULL}
 };
 

diff --git a/src/login.c b/src/login.c
index 00508cd5b9b0f9e7e1d779ef121ac56fa8de9d27..be84a884306c8dda2bb6ec0b45f74b3ead520be8 100644 (file)
--- a/src/login.c
+++ b/src/login.c
@@ -978,6 +978,19 @@ int main (int argc, char **argv)
                            || ('*' == user_passwd[0])) {
                                failed = true;
                        }
+
+                       if (strcmp (user_passwd, "") == 0) {
+                               char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");
+                               if(prevent_no_auth == NULL) {
+                                       prevent_no_auth = "superuser";
+                               }
+                               if(strcmp(prevent_no_auth, "yes") == 0) {
+                                       failed = true;
+                               } else if( (pwd->pw_uid == 0)
+                                       && (strcmp(prevent_no_auth, "superuser") == 0)) {
+                                       failed = true;
+                               }
+                       }
                }
 
                if (strcmp (user_passwd, SHADOW_PASSWD_STRING) == 0) {

diff --git a/src/su.c b/src/su.c
index cea3f1552c0ecd8331c8f9e88f9513f43d800acf..0f3cd79366fb3a592db2637aad42712154fb724a 100644 (file)
--- a/src/su.c
+++ b/src/su.c
@@ -505,6 +505,21 @@ static void check_perms_nopam (const struct passwd *pw)
                return;
        }
 
+       if (strcmp (pw->pw_passwd, "") == 0) {
+               char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");
+               if(prevent_no_auth == NULL) {
+                       prevent_no_auth = "superuser";
+               }
+               if(strcmp(prevent_no_auth, "yes") == 0) {
+                       fprintf(stderr, _("Password field is empty, this is forbidden for all accounts.\n"));
+                       exit(1);
+               } else if( (pw->pw_uid == 0)
+                               && (strcmp(prevent_no_auth, "superuser") == 0)) {
+                       fprintf(stderr, _("Password field is empty, this is forbidden for super-user.\n"));
+                       exit(1);
+               }
+       }
+
        /*
         * BSD systems only allow "wheel" to SU to root. USG systems don't,
         * so we make this a configurable option.