Bug#355268: [Pkg-shadow-devel] Bug#355268: passwd: config script report errors when root user is disabled

Alexander Gattin xrgtn at yandex.ru
Sat Mar 4 23:08:18 UTC 2006


Hi!

On Sat, Mar 04, 2006 at 07:08:20PM +0100, Nicolas François wrote:
> Anyway, I will add the x, because it fails with ash otherwise.

Yes, I had big concerns about not having "x" in front
of expanded password. However, because I didn't succeed
trying to exploit this using bash's test or GNU test
(/usr/bin/test), I didn't report my concerns.

// bash's test and GNU test are too cunning to
// allow exploit of [ "$smth" ] && [ "$smth" != '*' ]
// (more complex expressions may or may not be
// exploited, though...)

P.S.

> Your patch also makes root_password to return 0 when the /etc/passwd
> passwd is set to ! (and it does not check if the /etc/shadow passwd is set
> to !). What is it used for?

Yes, looks unnatural. Can '!' at all appear in
/etc/passwd? Maybe yes, when there's no /etc/shadow at
all...

P.P.S.

Should we reopen the bug and fix with more bulletproof
patch?

-- 
I didn't want to suggest "x" without providing POF...
xrgtn




More information about the Pkg-shadow-devel mailing list