session: deny access if password login is disabled
The special characters '!' and '*' in /etc/shadow are used to disable password login for a specific account. The character 'x' has no special meaning, but should not be interpreted as an empty password. However, rpcd did treat these special characters like no password was set, which allows access even though the account is disabled. By removing the additional checks for these characters, the encrypted password string is passed to crypt, which returns NULL if the salt has an invalid format and therefore access is denied. Fixes: FS#2634 Signed-off-by: Fabian Bläse <fabian@blaese.de>
This commit is contained in:
parent
efe51f41d6
commit
3df62bcebd
1 changed files with 1 additions and 1 deletions
|
@ -795,7 +795,7 @@ rpc_login_test_password(const char *hash, const char *password)
|
|||
char *crypt_hash;
|
||||
|
||||
/* password is not set */
|
||||
if (!hash || !*hash || !strcmp(hash, "!") || !strcmp(hash, "x"))
|
||||
if (!hash || !*hash)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue