From: Haelwenn Monnier <contact+github.com@hacktivis.me>
Date: Mon, 29 Mar 2021 03:16:03 +0000 (+0200)
Subject: login & su: Treat an empty passwd field as invalid (#315)
X-Git-Tag: v4.9~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b865e14f255e3eb3e3fe2c86dde5888a4caa6c1c;p=thirdparty%2Fshadow.git

login & su: Treat an empty passwd field as invalid (#315)

* login & su: Treat an empty passwd field as invalid

Otherwise it's treated like the “require no password” clause while it probably
should be treated like a normal su that can't validate anyway.

A similar change should be done for USE_PAM.

* su & login: Introduce PREVENT_NO_AUTH
---

diff --git a/etc/login.defs b/etc/login.defs
index fe206812e..dbeffa649 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -458,3 +458,12 @@ USERGROUPS_ENAB yes
 # primary group.
 #
 #GRANT_AUX_GROUP_SUBIDS yes
+
+#
+# Prevents an empty password field to be interpreted as "no authentication
+# required".
+# Set to "yes" to prevent for all accounts
+# Set to "superuser" to prevent for UID 0 / root (default)
+# Set to "no" to not prevent for any account (dangerous, historical default)
+
+PREVENT_NO_AUTH superuser
diff --git a/lib/getdef.c b/lib/getdef.c
index 909ee45fd..eaf6b48f2 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -164,6 +164,7 @@ static struct itemdef def_table[] = {
 #endif
 	{"FORCE_SHADOW", NULL},
 	{"GRANT_AUX_GROUP_SUBIDS", NULL},
+	{"PREVENT_NO_AUTH", NULL},
 	{NULL, NULL}
 };
 
diff --git a/src/login.c b/src/login.c
index 00508cd5b..be84a8843 100644
--- a/src/login.c
+++ b/src/login.c
@@ -978,6 +978,19 @@ int main (int argc, char **argv)
 			    || ('*' == user_passwd[0])) {
 				failed = true;
 			}
+
+			if (strcmp (user_passwd, "") == 0) {
+				char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");
+				if(prevent_no_auth == NULL) {
+					prevent_no_auth = "superuser";
+				}
+				if(strcmp(prevent_no_auth, "yes") == 0) {
+					failed = true;
+				} else if( (pwd->pw_uid == 0)
+					&& (strcmp(prevent_no_auth, "superuser") == 0)) {
+					failed = true;
+				}
+			}
 		}
 
 		if (strcmp (user_passwd, SHADOW_PASSWD_STRING) == 0) {
diff --git a/src/su.c b/src/su.c
index cea3f1552..0f3cd7936 100644
--- a/src/su.c
+++ b/src/su.c
@@ -505,6 +505,21 @@ static void check_perms_nopam (const struct passwd *pw)
 		return;
 	}
 
+	if (strcmp (pw->pw_passwd, "") == 0) {
+		char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");
+		if(prevent_no_auth == NULL) {
+			prevent_no_auth = "superuser";
+		}
+		if(strcmp(prevent_no_auth, "yes") == 0) {
+			fprintf(stderr, _("Password field is empty, this is forbidden for all accounts.\n"));
+			exit(1);
+		} else if( (pw->pw_uid == 0)
+				&& (strcmp(prevent_no_auth, "superuser") == 0)) {
+			fprintf(stderr, _("Password field is empty, this is forbidden for super-user.\n"));
+			exit(1);
+		}
+	}
+
 	/*
 	 * BSD systems only allow "wheel" to SU to root. USG systems don't,
 	 * so we make this a configurable option.