From 8f796e40a561bd9200fde3c8885e6255a2dd4250 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 28 Aug 2020 16:23:16 +0200 Subject: [PATCH] shared/{user,group}-record-nss: adjust filtering of "valid" passwords We would reject various passwords that glibc accepts, for example "" or any descrypted password. Accounts with empty password are definitely useful, for example for testing or in scenarios where a password is not needed. Also, using weak encryption methods is probably not a good idea, it's not the job of our nss helpers to decide that: they should just faithfully forward whatever data is there. Also rename the function to make it more obvious that the returned answer is not in any way certain. --- src/shared/group-record-nss.c | 2 +- src/shared/libcrypt-util.c | 19 ++++++++++++------- src/shared/libcrypt-util.h | 2 +- src/shared/user-record-nss.c | 2 +- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/src/shared/group-record-nss.c b/src/shared/group-record-nss.c index 5c4fae865ae..b018a46e18e 100644 --- a/src/shared/group-record-nss.c +++ b/src/shared/group-record-nss.c @@ -37,7 +37,7 @@ int nss_group_to_group_record( g->gid = grp->gr_gid; if (sgrp) { - if (hashed_password_valid(sgrp->sg_passwd)) { + if (looks_like_hashed_password(sgrp->sg_passwd)) { g->hashed_password = strv_new(sgrp->sg_passwd); if (!g->hashed_password) return -ENOMEM; diff --git a/src/shared/libcrypt-util.c b/src/shared/libcrypt-util.c index f41685ae450..bf6605508af 100644 --- a/src/shared/libcrypt-util.c +++ b/src/shared/libcrypt-util.c @@ -74,13 +74,18 @@ int make_salt(char **ret) { #endif } -bool hashed_password_valid(const char *s) { - - /* Returns true if the specified string is a 'valid' hashed UNIX password, i.e. if starts with '$' or - * with '!$' (the latter being a valid, yet locked password). */ - - if (isempty(s)) +bool looks_like_hashed_password(const char *s) { + /* Returns false if the specified string is certainly not a hashed UNIX password. crypt(5) lists + * various hashing methods. We only reject (return false) strings which are documented to have + * different meanings. + * + * In particular, we allow locked passwords, i.e. strings starting with "!", including just "!", + * i.e. the locked empty password. See also fc58c0c7bf7e4f525b916e3e5be0de2307fef04e. + */ + if (!s) return false; - return STARTSWITH_SET(s, "$", "!$"); + s += strspn(s, "!"); /* Skip (possibly duplicated) locking prefix */ + + return !STR_IN_SET(s, "x", "*"); } diff --git a/src/shared/libcrypt-util.h b/src/shared/libcrypt-util.h index 93f0e13ffbe..8a860ceb0d8 100644 --- a/src/shared/libcrypt-util.h +++ b/src/shared/libcrypt-util.h @@ -19,4 +19,4 @@ int make_salt(char **ret); -bool hashed_password_valid(const char *s); +bool looks_like_hashed_password(const char *s); diff --git a/src/shared/user-record-nss.c b/src/shared/user-record-nss.c index b27a12c55d0..b4c35b8a532 100644 --- a/src/shared/user-record-nss.c +++ b/src/shared/user-record-nss.c @@ -66,7 +66,7 @@ int nss_passwd_to_user_record( hr->uid = pwd->pw_uid; hr->gid = pwd->pw_gid; - if (spwd && hashed_password_valid(spwd->sp_pwdp)) { + if (spwd && looks_like_hashed_password(spwd->sp_pwdp)) { strv_free_erase(hr->hashed_password); hr->hashed_password = strv_new(spwd->sp_pwdp); if (!hr->hashed_password)