[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bin/76756: function pw_equal in pw_util.c does not test pw_passwd field so any changes made by chpass to that field are ignored.



>Number:         76756
>Category:       bin
>Synopsis:       function pw_equal in pw_util.c does not test pw_passwd field so any changes made by chpass to that field are ignored.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 27 16:10:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Lee Burton
>Release:        5.3
>Organization:
Extrenme Internet
>Environment:
FreeBSD eiscanner01.extremezone.com 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov  5 04:19:18 UTC 2004     root_(_at_)_harlow_(_dot_)_cse_(_dot_)_buffalo_(_dot_)_edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
Our organization uses the "splat" method of disabling users, i.e. an
asterisk is prepended to the encrypted password string using chpass.
After upgrading to 5.3, attempts to change the encrypted string resulted
in a "user information unchanged".
>How-To-Repeat:
Use chpass to modify only the pw_passwd field.
>Fix:
Add the following line to pw_equal:

strcmp(pw1->pw_passwd, pw2->pw_passwd) == 0 &&

so pw_equal looks like:

/*
 * Compares two struct pwds.
 */
int
pw_equal(const struct passwd *pw1, const struct passwd *pw2)
{
        return (strcmp(pw1->pw_name, pw2->pw_name) == 0 &&
            strcmp(pw1->pw_passwd, pw2->pw_passwd) == 0 &&
            pw1->pw_uid == pw2->pw_uid &&
            pw1->pw_gid == pw2->pw_gid &&
            strcmp(pw1->pw_class, pw2->pw_class) == 0 &&
            pw1->pw_change == pw2->pw_change &&
            pw1->pw_expire == pw2->pw_expire &&
            strcmp(pw1->pw_gecos, pw2->pw_gecos) == 0 &&
            strcmp(pw1->pw_dir, pw2->pw_dir) == 0 &&
            strcmp(pw1->pw_shell, pw2->pw_shell) == 0);
}

>Release-Note:
>Audit-Trail:
>Unformatted:

Visit your host, monkey.org