[OpenWrt-Devel] [PATCH rpcd] session: deny access if password login is disabled
Fabian Bläse
fabian at blaese.de
Tue Mar 17 11:55:57 EDT 2020
The special characters '!' and '*' in /etc/shadow are
used to disable password login for a specific account.
The character 'x' has no special meaning, but should not
be interpreted as an empty password.
However, rpcd did treat these special characters like no
password was set, which allows access even though the account
is disabled.
By removing the additional checks for these characters, the
encrypted password string is passed to crypt, which returns NULL
if the salt has an invalid format and therefore access is denied.
Fixes: FS#2634
Signed-off-by: Fabian Bläse <fabian at blaese.de>
---
resend: add missing rpcd to subject
---
session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/session.c b/session.c
index 13a2ef3..908e298 100644
--- a/session.c
+++ b/session.c
@@ -795,7 +795,7 @@ rpc_login_test_password(const char *hash, const char *password)
char *crypt_hash;
/* password is not set */
- if (!hash || !*hash || !strcmp(hash, "!") || !strcmp(hash, "x"))
+ if (!hash || !*hash)
{
return true;
}
--
2.25.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list