Hi,
I noticed that our password checking routine in correct_password.c
behaves differently than real login app.
In case that support for shadow passwords is enabled and
/etc/shadow is missing it complains with an error message:
"no valid shadow password, checking ordinary one"
thus disclosing information about the state of the system.
I think it should instead fake an incorrect login.
A patch is attached, comments and critics are welcome.
This is only compile tested.
Ciao,
Tito
BTW.:
scripts/bloat-o-meter busybox_old busybox_unstripped
function old new delta
correct_password 231 225 -6
.rodata 125111 125063 -48
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/2 up/down: 0/-54) Total: -54 bytes
--- libbb/correct_password.c.orig 2007-06-16 16:27:04.000000000 +0200
+++ libbb/correct_password.c 2007-07-02 23:58:26.000000000 +0200
@@ -55,12 +55,8 @@
}
correct = pw->pw_passwd;
#if ENABLE_FEATURE_SHADOWPASSWDS
- if (LONE_CHAR(pw->pw_passwd, 'x') || LONE_CHAR(pw->pw_passwd, '*')) {
- if (getspnam_r(pw->pw_name, &spw, buffer, sizeof(buffer), &result))
- bb_error_msg("no valid shadow password, checking ordinary one");
- else
- correct = spw.sp_pwdp;
- }
+ if (LONE_CHAR(pw->pw_passwd, 'x') || LONE_CHAR(pw->pw_passwd, '*'))
+ correct = (getspnam_r(pw->pw_name, &spw, buffer, sizeof(buffer), &result)) ? "aa" : spw.sp_pwdp;
#endif
if (!correct || correct[0] == '\0')
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox
