Hello. I share a patch of su command.
---------- Forwarded message ---------- From: 김혜진 <[email protected]> Date: 2015-01-29 21:35 GMT+09:00 Subject: Re: su patch To: Rob Landley <[email protected]> Hi. Rob I Send you fixed patch. As I look at passwd and mkpasswd, default encryption method is "des". Because useradd calls passwd with no option of encryption method, it make "des" encrypted password. It was the fact. So, I changed the default encryption method to "md5". But, su cannot check if 0 index of password is $, because user can choose "des" at any time if they want. plz check my patch! And, If you have more time, plz review my questions regarding netcat. Thank you! 2015-01-23 15:57 GMT+09:00 Rob Landley <[email protected]>: > On 01/22/2015 04:56 AM, 김혜진 wrote: > > 2015-01-22 18:56 GMT+09:00 Rob Landley <[email protected] > > <mailto:[email protected]>>: > > According to man 3 crypt, the password format is: > > > > If salt is a character string starting with the characters > > "$id$" followed by a string terminated by "$": > > > > $id$salt$encrypted > > > > I also expected this format as busybox also do, but toybox's is not > > working like this on a board. > > If have more time, I'll also check useradd and passwd in detail with > > your guide below. > > Sounds like I need to fix useradd. (There's a reason it's still in > pending...) > > > > So I made patch. > > > > > > Do you have an opinion, plz share. > > > > It looks like what the patch is doing is not checking passwords for > > root. I agree it shouldn't check the password for root (which can > even > > switch to an otherwise disabled account, with no password), but > there's > > no reason to use a goto here, just have the if (getuid()) { } around > the > > next four lines. (This would cause the lines to be reindented, but > "goto > > deny" is only acceptable because it's error handling.) > > > > Can I make patch reflecting your opinion? > > Sure. > > > > Thank you. > > > > Would it be ok if I reposted this reply to the toybox mailing list? > > > > Or, Waiting some opinion of other members on mainling list is better? > > It's more that I like doing development in the open and having a record > of it in one place. If I wrote up long explanations in private email I > can't refer to them later if somebody else asks a similar question. (I > try to make it so people can maintain their own local versions easily > without needing magic information only I have.) > > In general if there isn't a reason _not_ to have a message about the > project public, I prefer to have it public. It's not just the source > that's open in open source development, it's the development part too. > > > Rob > > Rob >
0001-patch-su-fix-to-check-uid-and-0-index-of-password.patch
Description: Binary data
_______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
