RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-28 09:07:44 +00:00
Code Issues Activity Actions

LibCore: Always fail Account authentication on missing shadow entry

Browse source 
If a user is missing from /etc/shadow, we used to just allow anyone to
authenticate as that user without a password.

With this patch, authentication will instead always fail.
This commit is contained in:
Andreas Kling 2021-01-21 11:31:12 +01:00
parent 439f447ba8
commit 3b80358142
2 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Userland/Libraries/LibCore/Account.h
View file

@ -51,7 +51,10 @@ public:
void set_password(const char* password);
void set_password_enabled(bool enabled);
void delete_password();
bool has_password() const { return !m_password_hash.is_empty(); }
// A null password means that this account was missing from /etc/shadow.
// It's considered to have a password in that case, and authentication will always fail.
bool has_password() const { return !m_password_hash.is_empty() || m_password_hash.is_null(); }
uid_t uid() const { return m_uid; }
gid_t gid() const { return m_gid; }
@ -73,8 +76,6 @@ private:
String m_username;
// Contents of passwd field in passwd entry.
// Can be empty, "x", or contain a leading '!'
String m_password_hash;
uid_t m_uid { 0 };
gid_t m_gid { 0 };