RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 23:07:36 +00:00
Code Issues Activity Actions

LibCore: Always fail Account authentication on missing shadow entry

Browse source 
If a user is missing from /etc/shadow, we used to just allow anyone to
authenticate as that user without a password.

With this patch, authentication will instead always fail.
This commit is contained in:
Andreas Kling 2021-01-21 11:31:12 +01:00
parent 439f447ba8
commit 3b80358142
2 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Userland/Libraries/LibCore/Account.cpp
View file

@ -102,6 +102,10 @@ Result<Account, String> Account::from_uid(uid_t uid)
bool Account::authenticate(const char* password) const
{
// If there was no shadow entry for this account, authentication always fails.
if (m_password_hash.is_null())
return false;
// An empty passwd field indicates that no password is required to log in.
if (m_password_hash.is_empty())
return true;
@ -206,7 +210,7 @@ void Account::load_shadow_file()
auto line = shadow_file->read_line();
if (line.is_null())
break;
auto parts = line.split(':');
auto parts = line.split(':', true);
if (parts.size() != 2) {
dbgln("Malformed shadow entry, ignoring.");
continue;