-----BEGIN PGP SIGNED MESSAGE-----
On 09/21/2015 08:55 AM, Drew Wells wrote:
>> I think that permitting a null password, if policy does not admit it, is a
>> security hole.
>> Prefer you you add another explicit call to be called for no password
>> checking (at all).
>>> This is going to be the patch I use here, does anyone want this patch ?
> Wouldn't it actually be easier to remove the password parameter from
> vadduser() and then
> vadduser.c can add a user (without a password) and then optionally set a
> password using
> vauth_setpw() ? This is exactly what it should do at the moment for adding a
> user with a crypted
> password, the user is added, then the crypted password is set using
Because vadduser() previously supported an empty password ("\0"), the change to
check for this and
skip the password strength testing won't be changing its functionality. The
password strength check
was not meant to prevent blank passwords, so the fact that it broke the ability
to set one would be
a bug, and skipping the call to the password strength checker would be a bug
fix. vadduser should
not, however, be called with a NULL password.
Matt Brookings <m...@inter7.com> GnuPG Key 62817373
Software developer Systems technician
Inter7 Internet Technologies, Inc. (815)776-9465
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----