Dmitry Morozovsky
2006-Sep-25 00:45 UTC
chpass(1) patch for changing only crypted passwords
Dear colleagues, chpass is a bit broken since chpass.c:1.23 - it uses pw_equal which does not check crypted password field; so, you can not change _only_ crypt pass with chpass. Attached patch fixes this. Any thoughts/objections? Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ -------------- next part -------------- Index: usr.bin/chpass/chpass.c ==================================================================RCS file: /home/ncvs/src/usr.bin/chpass/chpass.c,v retrieving revision 1.27 diff -u -r1.27 chpass.c --- usr.bin/chpass/chpass.c 18 Jan 2004 21:46:39 -0000 1.27 +++ usr.bin/chpass/chpass.c 25 Sep 2006 07:42:25 -0000 @@ -217,7 +217,12 @@ pw_fini(); if (pw == NULL) err(1, "edit()"); - if (pw_equal(old_pw, pw)) + /* + * pw_equal does not check for crypted passwords, so we + * should do it explicitly + */ + if (pw_equal(old_pw, pw) && + strcmp(old_pw->pw_passwd, pw->pw_passwd) == 0) errx(0, "user information unchanged"); }
Dag-Erling Smørgrav
2006-Sep-25 01:54 UTC
chpass(1) patch for changing only crypted passwords
Dmitry Morozovsky <marck@rinet.ru> writes:> chpass is a bit broken since chpass.c:1.23 - it uses pw_equal which > does not check crypted password field; so, you can not change _only_ > crypt pass with chpass. Attached patch fixes this.Looks fine to me, feel free to commit. DES -- Dag-Erling Sm?rgrav - des@des.no
Dmitry Morozovsky
2006-Sep-25 10:50 UTC
chpass(1) patch for changing only crypted passwords
On Mon, 25 Sep 2006, Dag-Erling Sm?rgrav wrote: DS> Dmitry Morozovsky <marck@rinet.ru> writes: DS> > chpass is a bit broken since chpass.c:1.23 - it uses pw_equal which DS> > does not check crypted password field; so, you can not change _only_ DS> > crypt pass with chpass. Attached patch fixes this. DS> DS> Looks fine to me, feel free to commit. Done, thanks. BTW, a question inspired by ru@: why pw_equal() skips password field? Its interface is unpublished, and the only consumers are marck@woozle:/lh/src.current> grep -Rl pw_equal . ./lib/libutil/libutil.h ./lib/libutil/pw_util.c ./release/picobsd/tinyware/passwd/pw_copy.c ./usr.bin/chpass/chpass.c and tyniware is false alarm ;) Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------