diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-05-05 21:46:56 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-05-06 09:44:35 +0200 |
| commit | fc58c0c7bf7e4f525b916e3e5be0de2307fef04e (patch) | |
| tree | 26c81e8e828c5c63be3661f6fa9dd8d983e91bff /src/sysusers | |
| parent | c92391f52fb335b529519ffffd91bbd3a83c8c64 (diff) | |
| download | systemd-fc58c0c7bf7e4f525b916e3e5be0de2307fef04e.tar.gz | |
sysusers: be extra careful when locking accounts
Let's use "!*" instead of "!!" as invalid password string.
Generally, any invalid password string can be used to for locking an
account, according to shadow(5). To temporarily lock a password of an
account it is commonly implemented to prefix the original password with
a single "!", so that it can later on be unlocked again by removing the
"!", restoring the original password. Thus, the "!" marker is an
indicator for a locked password; the act of prefixing "!" to a
password string is the locking operation; and the removal of a "!"
prefix is the unlock operation. (This is also suggested in shadow(5)).
If we want to entirely lock an account we previously used "!!" as
password string. This is nice since it indicates the password is locked.
However, it is less than ideal, since applying the password unlock
operation once will change the string to "!", which is still a locked
password. Unlocking the password a second time will result in "", i.e.
the empty password, which will in many cases allow logging in without
password. And that's a problem. Hopefully, tools do not allow such
duplicate unlocking, but it's still not a nice property.
By changing our password string to "!*" we get different behaviour: the
password will appear locked. When it is unlocked the password is "*"
which is an invalid password. In that case the password is hence
unlocked but invalid, which is a much better state to be in than the
above.
This is paranoia hardening. Not more. There's no report that anyone
every unlocked an account twice and people could log in.
Diffstat (limited to 'src/sysusers')
| -rw-r--r-- | src/sysusers/sysusers.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index a36cfb210f..73a710bee7 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -529,7 +529,7 @@ static int write_temporary_shadow(const char *shadow_path, FILE **tmpfile, char ORDERED_HASHMAP_FOREACH(i, todo_uids, iterator) { struct spwd n = { .sp_namp = i->name, - .sp_pwdp = (char*) "!!", /* lock this password, and make it invalid */ + .sp_pwdp = (char*) "!*", /* lock this password, and make it invalid */ .sp_lstchg = lstchg, .sp_min = -1, .sp_max = -1, |