session: deny access if password login is disabled

The special characters '!' and '*' in /etc/shadow are used to disable password login for a specific account. The character 'x' has no special meaning, but should not be interpreted as an empty password. However, rpcd did treat these special characters like no password was set, which allows access even though the account is disabled. By removing the additional checks for these characters, the encrypted password string is passed to crypt, which returns NULL if the salt has an invalid format and therefore access is denied. Fixes: FS#2634 Signed-off-by: Fabian Bläse <fabian@blaese.de> (cherry picked from commit 3df62bcebd2caff47506ccffb42df8d2d2123c06)
author: Fabian Bläse <fabian@blaese.de> 2020-03-17 16:55:57 +0100
committer: Jo-Philipp Wich <jo@mein.io> 2020-05-26 16:17:12 +0200
commit: 53a0952a4b51408af8856d3a59106bc037ac35bd (patch)
tree: 511912c106392f088d54e4cc841927a1d9691b1b
parent: 662d0346caada9de6f76d8f2e1e527abae626a84 (diff)
download: rpcd-53a0952a4b51408af8856d3a59106bc037ac35bd.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/session.c b/session.c
index 3ed4519..b4c7be4 100644
--- a/session.c
+++ b/session.c
@@ -795,7 +795,7 @@ rpc_login_test_password(const char *hash, const char *password)
 	char *crypt_hash;
 
 	/* password is not set */
-	if (!hash || !*hash || !strcmp(hash, "!") || !strcmp(hash, "x"))
+	if (!hash || !*hash)
 	{
 		return true;
 	}
author	Fabian Bläse <fabian@blaese.de>	2020-03-17 16:55:57 +0100
committer	Jo-Philipp Wich <jo@mein.io>	2020-05-26 16:17:12 +0200
commit	53a0952a4b51408af8856d3a59106bc037ac35bd (patch)
tree	511912c106392f088d54e4cc841927a1d9691b1b
parent	662d0346caada9de6f76d8f2e1e527abae626a84 (diff)
download	rpcd-53a0952a4b51408af8856d3a59106bc037ac35bd.tar.gz