Search users for one with a valid salt.

If the root account is locked (eg password "!!" or "*LK*") keep looking
until we find a user with a valid salt to use for crypting passwords of
invalid users.  ok djm@

diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 8913bb81a5a2bd4684a7fdcff1e0691536401f20..cf6a9b99f38d635553d13c7fbbe370f4cd68689c 100644 (file)
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -65,7 +65,9 @@
 
 /*
  * Pick an appropriate password encryption type and salt for the running
- * system.
+ * system by searching through accounts until we find one that has a valid
+ * salt.  Usually this will be root unless the root account is locked out.
+ * If we don't find one we return a traditional DES-based salt.
  */
 static const char *
 pick_salt(void)
@@ -78,14 +80,18 @@ pick_salt(void)
        if (salt[0] != '\0')
                return salt;
        strlcpy(salt, "xx", sizeof(salt));
-       if ((pw = getpwuid(0)) == NULL)
-               return salt;
-       passwd = shadow_pw(pw);
-       if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
-               return salt;  /* no $, DES */
-       typelen = p - passwd + 1;
-       strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
-       explicit_bzero(passwd, strlen(passwd));
+       setpwent();
+       while ((pw = getpwent()) != NULL) {
+               passwd = shadow_pw(pw);
+               if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) {
+                       typelen = p - passwd + 1;
+                       strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+                       explicit_bzero(passwd, strlen(passwd));
+                       goto out;
+               }
+       }
+ out:
+       endpwent();
        return salt;
 }