Description of problem: two or more usernames w/ same uid (eg u1:1001 and u2:1001). log in as u2; run passwd; passwd will say "Changing password for user u1", and will change u1's password, if u1 is first in /etc/passwd. Version-Release number of selected component (if applicable): applies to all versions since 5.2, I believe How reproducible: 100% Steps to Reproduce: 1. (as root) useradd u1; useradd u2 2. edit /etc/passwd file to change uid for u2 to be same as uid for u1 3. chown -R u1 /home/u2 4. su - u2 5. passwd Actual results: "Changing password for user u1" Expected results: "Changing password for user u2" Additional info: The behavior of passwd changed after 5.2, apparently in an attempt to avoid the insecurity of the getlogin function. However, the insecurity of getlogin is not, I believe, really an issue, since the getuid check still applies.
This is a difficult problem to fix securely, and it may be impossible to do a job that that is both complete and secure. I have a patch that I believe does OK (it meets my needs, at least), and I have been using it for some time now. It would be much better, of course, if the functionality was supported.
Kent, could you send the patch here?
Having two users with the same uid isn't supported well by many system utilities so I don't think passwd is too different from the rest of the system.