Bug 78153 - empty /etc/password password overrides /etc/shadow
Summary: empty /etc/password password overrides /etc/shadow
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pwdb
Version: 7.3
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2002-11-19 14:39 UTC by Ronan Waide
Modified: 2015-01-08 00:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2002-12-18 18:32:38 UTC

Attachments (Terms of Use)

Description Ronan Waide 2002-11-19 14:39:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020827

Description of problem:
Having configured my machine to use shadow passwords, I noticed that by removing
the 'x' from the password field in /etc/passwords, I can log into the associated
account without any password.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure for shadow passwords
2. Edit /etc/passwd, remove the 'x' from the root account passwd field
3. Log in as root sans password

Actual Results:  Login succeeds

Expected Results:  I would expect the shadow file to override the password file.
However, this may be conforming to some standard that I'm unaware of. Either
way, I believe this behaviour should be either documented or fixed as appropriate.

It's also difficult to track down, since 'passwd' updates the shadow file
correctly but does not alert the user to the error in the passwd file.

Additional info:
The machine in question is running 7.3 with all updates. I am guessing that pwdb
is the component at fault since it's the bit concerned with talking to
/etc/passwd and /etc/shadow.

Comment 1 Alan Cox 2002-12-18 18:32:38 UTC
Its expected unix behaviour. You can stop null being allowed like that by
removing the "nullok" in the PAM configuration. See the PAM docs

Note You need to log in before you can comment on or make changes to this bug.