From 0d3f41ef46f2b18a2bc4f728eeadaea81bcea48d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 5 May 2021 15:32:43 +0200 Subject: user-util: add generic definition for special password hash values in /etc/passwd + /etc/shadow Let's add three defines for the 3 special cases of passwords. Some of our tools used different values for the "locked"/"invalid" case, let's settle on using "!*" which means the password is both locked *and* invalid. Other tools like to use "!!" for this case, which however is less than ideal I think, since the this could also be a considered an entry with an empty password, that can be enabled again by unlocking it twice. (cherry picked from commit 53c25ac968ab8b868506c3a1820d8c76beb0cd88) --- src/basic/user-util.h | 9 +++++++++ src/firstboot/firstboot.c | 8 ++++---- src/nss-systemd/nss-systemd.c | 8 ++++---- src/nss-systemd/userdb-glue.c | 5 +++-- src/sysusers/sysusers.c | 8 ++++---- 5 files changed, 24 insertions(+), 14 deletions(-) diff --git a/src/basic/user-util.h b/src/basic/user-util.h index 20ff415e2e..2ac9166c07 100644 --- a/src/basic/user-util.h +++ b/src/basic/user-util.h @@ -109,3 +109,12 @@ int putsgent_sane(const struct sgrp *sg, FILE *stream); #endif bool is_nologin_shell(const char *shell); + +/* A locked *and* invalid password for "struct spwd"'s .sp_pwdp and "struct passwd"'s .pw_passwd field */ +#define PASSWORD_LOCKED_AND_INVALID "!*" + +/* A password indicating "look in shadow file, please!" for "struct passwd"'s .pw_passwd */ +#define PASSWORD_SEE_SHADOW "x" + +/* A password indicating "hey, no password required for login" */ +#define PASSWORD_NONE "" diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c index 8e3028717e..89049a6daa 100644 --- a/src/firstboot/firstboot.c +++ b/src/firstboot/firstboot.c @@ -860,20 +860,20 @@ static int process_root_args(void) { return r; if (arg_root_password && arg_root_password_is_hashed) { - password = "x"; + password = PASSWORD_SEE_SHADOW; hashed_password = arg_root_password; } else if (arg_root_password) { r = hash_password(arg_root_password, &_hashed_password); if (r < 0) return log_error_errno(r, "Failed to hash password: %m"); - password = "x"; + password = PASSWORD_SEE_SHADOW; hashed_password = _hashed_password; } else if (arg_delete_root_password) - password = hashed_password = ""; + password = hashed_password = PASSWORD_NONE; else - password = hashed_password = "!"; + password = hashed_password = PASSWORD_LOCKED_AND_INVALID; r = write_root_passwd(etc_passwd, password, arg_root_shell); if (r < 0) diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c index 84f94f500f..3ac57441d9 100644 --- a/src/nss-systemd/nss-systemd.c +++ b/src/nss-systemd/nss-systemd.c @@ -20,7 +20,7 @@ static const struct passwd root_passwd = { .pw_name = (char*) "root", - .pw_passwd = (char*) "x", /* see shadow file */ + .pw_passwd = (char*) PASSWORD_SEE_SHADOW, .pw_uid = 0, .pw_gid = 0, .pw_gecos = (char*) "Super User", @@ -30,7 +30,7 @@ static const struct passwd root_passwd = { static const struct passwd nobody_passwd = { .pw_name = (char*) NOBODY_USER_NAME, - .pw_passwd = (char*) "*", /* locked */ + .pw_passwd = (char*) PASSWORD_LOCKED_AND_INVALID, .pw_uid = UID_NOBODY, .pw_gid = GID_NOBODY, .pw_gecos = (char*) "User Nobody", @@ -41,14 +41,14 @@ static const struct passwd nobody_passwd = { static const struct group root_group = { .gr_name = (char*) "root", .gr_gid = 0, - .gr_passwd = (char*) "x", /* see shadow file */ + .gr_passwd = (char*) PASSWORD_SEE_SHADOW, .gr_mem = (char*[]) { NULL }, }; static const struct group nobody_group = { .gr_name = (char*) NOBODY_GROUP_NAME, .gr_gid = GID_NOBODY, - .gr_passwd = (char*) "*", /* locked */ + .gr_passwd = (char*) PASSWORD_LOCKED_AND_INVALID, .gr_mem = (char*[]) { NULL }, }; diff --git a/src/nss-systemd/userdb-glue.c b/src/nss-systemd/userdb-glue.c index 8ad7ef608e..8f8988579b 100644 --- a/src/nss-systemd/userdb-glue.c +++ b/src/nss-systemd/userdb-glue.c @@ -6,6 +6,7 @@ #include "strv.h" #include "user-record-nss.h" #include "user-record.h" +#include "user-util.h" #include "userdb-glue.h" #include "userdb.h" @@ -50,7 +51,7 @@ int nss_pack_user_record( .pw_name = buffer, .pw_uid = hr->uid, .pw_gid = user_record_gid(hr), - .pw_passwd = (char*) "x", /* means: see shadow file */ + .pw_passwd = (char*) PASSWORD_SEE_SHADOW, }; assert(buffer); @@ -184,7 +185,7 @@ int nss_pack_group_record( *gr = (struct group) { .gr_name = strcpy(p, g->group_name), .gr_gid = g->gid, - .gr_passwd = (char*) "x", /* means: see shadow file */ + .gr_passwd = (char*) PASSWORD_SEE_SHADOW, .gr_mem = array, }; diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index 307daea574..e77706d5ae 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -440,7 +440,7 @@ static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char .pw_gecos = i->description, /* "x" means the password is stored in the shadow file */ - .pw_passwd = (char*) "x", + .pw_passwd = (char*) PASSWORD_SEE_SHADOW, /* We default to the root directory as home */ .pw_dir = i->home ?: (char*) "/", @@ -536,7 +536,7 @@ static int write_temporary_shadow(const char *shadow_path, FILE **tmpfile, char ORDERED_HASHMAP_FOREACH(i, todo_uids) { struct spwd n = { .sp_namp = i->name, - .sp_pwdp = (char*) "!*", /* lock this password, and make it invalid */ + .sp_pwdp = (char*) PASSWORD_LOCKED_AND_INVALID, .sp_lstchg = lstchg, .sp_min = -1, .sp_max = -1, @@ -639,7 +639,7 @@ static int write_temporary_group(const char *group_path, FILE **tmpfile, char ** struct group n = { .gr_name = i->name, .gr_gid = i->gid, - .gr_passwd = (char*) "x", + .gr_passwd = (char*) PASSWORD_SEE_SHADOW, }; r = putgrent_with_members(&n, group); @@ -723,7 +723,7 @@ static int write_temporary_gshadow(const char * gshadow_path, FILE **tmpfile, ch ORDERED_HASHMAP_FOREACH(i, todo_gids) { struct sgrp n = { .sg_namp = i->name, - .sg_passwd = (char*) "!*", + .sg_passwd = (char*) PASSWORD_LOCKED_AND_INVALID, }; r = putsgent_with_members(&n, gshadow); -- cgit v1.2.1