-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/21/2015 08:55 AM, Drew Wells wrote:
>> I think that permitting a null password, if policy does not admit it, is a
>> security hole.
>> Prefer you you add another explicit call to be called for no password
>> checking (at all).
>>
>> Regards,
>>
>> Tonino
>>
>>
>>>
>>> This is going to be the patch I use here, does anyone want this patch ?
>>
> Wouldn't it actually be easier to remove the password parameter from
> vadduser() and then
> vadduser.c can add a user (without a password) and then optionally set a
> password using
> vauth_setpw() ? This is exactly what it should do at the moment for adding a
> user with a crypted
> password, the user is added, then the crypted password is set using
> vauth_setpw().
Because vadduser() previously supported an empty password ("\0"), the change to
check for this and
skip the password strength testing won't be changing its functionality. The
password strength check
was not meant to prevent blank passwords, so the fact that it broke the ability
to set one would be
a bug, and skipping the call to the password strength checker would be a bug
fix. vadduser should
not, however, be called with a NULL password.
- --
/*
Matt Brookings <m...@inter7.com> GnuPG Key 62817373
Software developer Systems technician
Inter7 Internet Technologies, Inc. (815)776-9465
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJWAA4BAAoJEOjQVexigXNzO1EH/iZtAFYiimKNefgU2mgzAwDf
N639Vq/zN6yDtImnBa9lVW37YZQ9IQ1jCNuQZCk91oUQbagMTP37Q3L+HRsGxcHt
tYEmKjvJXFiqNSuBZfmdFdbr8ENz4mvS0GI3VsE02fXUpMLSXAnIUfv+cnN5bCxD
cEs9aEcNQTntcZzKiUWYW+62MpX3BDbZarOpnHmQznihzorn5wcT12gSQo3QGjxp
ZM5LF9UBXOSuus5hFZHxLPQKhcZCvYSS0SpM+hyjLE4JB2nKEiDAVzZ7kqNi6ZV2
K2ocqLDRg1qpXIFGeB2yqobdXSVLEcb9takRE1xAe+v2Ya3YBK09fyBqewfo2qU=
=B/v4
-----END PGP SIGNATURE-----
