From fc58c0c7bf7e4f525b916e3e5be0de2307fef04e Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 5 May 2020 21:46:56 +0200 Subject: [PATCH] sysusers: be extra careful when locking accounts Let's use "!*" instead of "!!" as invalid password string. Generally, any invalid password string can be used to for locking an account, according to shadow(5). To temporarily lock a password of an account it is commonly implemented to prefix the original password with a single "!", so that it can later on be unlocked again by removing the "!", restoring the original password. Thus, the "!" marker is an indicator for a locked password; the act of prefixing "!" to a password string is the locking operation; and the removal of a "!" prefix is the unlock operation. (This is also suggested in shadow(5)). If we want to entirely lock an account we previously used "!!" as password string. This is nice since it indicates the password is locked. However, it is less than ideal, since applying the password unlock operation once will change the string to "!", which is still a locked password. Unlocking the password a second time will result in "", i.e. the empty password, which will in many cases allow logging in without password. And that's a problem. Hopefully, tools do not allow such duplicate unlocking, but it's still not a nice property. By changing our password string to "!*" we get different behaviour: the password will appear locked. When it is unlocked the password is "*" which is an invalid password. In that case the password is hence unlocked but invalid, which is a much better state to be in than the above. This is paranoia hardening. Not more. There's no report that anyone every unlocked an account twice and people could log in. --- src/sysusers/sysusers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index a36cfb210f6..73a710bee7c 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -529,7 +529,7 @@ static int write_temporary_shadow(const char *shadow_path, FILE **tmpfile, char ORDERED_HASHMAP_FOREACH(i, todo_uids, iterator) { struct spwd n = { .sp_namp = i->name, - .sp_pwdp = (char*) "!!", /* lock this password, and make it invalid */ + .sp_pwdp = (char*) "!*", /* lock this password, and make it invalid */ .sp_lstchg = lstchg, .sp_min = -1, .sp_max = -1,