Bug 78153

Summary: empty /etc/password password overrides /etc/shadow
Product: [Retired] Red Hat Linux Reporter: Ronan Waide <waider>
Component: pwdbAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-12-18 18:32:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ronan Waide 2002-11-19 14:39:55 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020827

Description of problem:
Having configured my machine to use shadow passwords, I noticed that by removing
the 'x' from the password field in /etc/passwords, I can log into the associated
account without any password.

Version-Release number of selected component (if applicable):
pwdb-0.61.2-2

How reproducible:
Always

Steps to Reproduce:
1. Configure for shadow passwords
2. Edit /etc/passwd, remove the 'x' from the root account passwd field
3. Log in as root sans password
	

Actual Results:  Login succeeds

Expected Results:  I would expect the shadow file to override the password file.
However, this may be conforming to some standard that I'm unaware of. Either
way, I believe this behaviour should be either documented or fixed as appropriate.

It's also difficult to track down, since 'passwd' updates the shadow file
correctly but does not alert the user to the error in the passwd file.

Additional info:
The machine in question is running 7.3 with all updates. I am guessing that pwdb
is the component at fault since it's the bit concerned with talking to
/etc/passwd and /etc/shadow.
Comment 1 Alan Cox 2002-12-18 18:32:38 UTC 
Its expected unix behaviour. You can stop null being allowed like that by
removing the "nullok" in the PAM configuration. See the PAM docs