Red Hat Bugzilla – Bug 78153
empty /etc/password password overrides /etc/shadow
Last modified: 2015-01-07 19:01:45 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020827
Description of problem:
Having configured my machine to use shadow passwords, I noticed that by removing
the 'x' from the password field in /etc/passwords, I can log into the associated
account without any password.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure for shadow passwords
2. Edit /etc/passwd, remove the 'x' from the root account passwd field
3. Log in as root sans password
Actual Results: Login succeeds
Expected Results: I would expect the shadow file to override the password file.
However, this may be conforming to some standard that I'm unaware of. Either
way, I believe this behaviour should be either documented or fixed as appropriate.
It's also difficult to track down, since 'passwd' updates the shadow file
correctly but does not alert the user to the error in the passwd file.
The machine in question is running 7.3 with all updates. I am guessing that pwdb
is the component at fault since it's the bit concerned with talking to
/etc/passwd and /etc/shadow.
Its expected unix behaviour. You can stop null being allowed like that by
removing the "nullok" in the PAM configuration. See the PAM docs