-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/21/2015 08:55 AM, Drew Wells wrote: >> I think that permitting a null password, if policy does not admit it, is a >> security hole. >> Prefer you you add another explicit call to be called for no password >> checking (at all). >> >> Regards, >> >> Tonino >> >> >>> >>> This is going to be the patch I use here, does anyone want this patch ? >> > Wouldn't it actually be easier to remove the password parameter from > vadduser() and then > vadduser.c can add a user (without a password) and then optionally set a > password using > vauth_setpw() ? This is exactly what it should do at the moment for adding a > user with a crypted > password, the user is added, then the crypted password is set using > vauth_setpw().
Because vadduser() previously supported an empty password ("\0"), the change to check for this and skip the password strength testing won't be changing its functionality. The password strength check was not meant to prevent blank passwords, so the fact that it broke the ability to set one would be a bug, and skipping the call to the password strength checker would be a bug fix. vadduser should not, however, be called with a NULL password. - -- /* Matt Brookings <m...@inter7.com> GnuPG Key 62817373 Software developer Systems technician Inter7 Internet Technologies, Inc. (815)776-9465 */ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJWAA4BAAoJEOjQVexigXNzO1EH/iZtAFYiimKNefgU2mgzAwDf N639Vq/zN6yDtImnBa9lVW37YZQ9IQ1jCNuQZCk91oUQbagMTP37Q3L+HRsGxcHt tYEmKjvJXFiqNSuBZfmdFdbr8ENz4mvS0GI3VsE02fXUpMLSXAnIUfv+cnN5bCxD cEs9aEcNQTntcZzKiUWYW+62MpX3BDbZarOpnHmQznihzorn5wcT12gSQo3QGjxp ZM5LF9UBXOSuus5hFZHxLPQKhcZCvYSS0SpM+hyjLE4JB2nKEiDAVzZ7kqNi6ZV2 K2ocqLDRg1qpXIFGeB2yqobdXSVLEcb9takRE1xAe+v2Ya3YBK09fyBqewfo2qU= =B/v4 -----END PGP SIGNATURE-----