From c25a858bb548b4eb881dabbf10aed4a08b11e973 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Mon, 15 Jan 2024 21:36:38 +0100 Subject: pam_unix: do not allow comma as a field separator The opasswd file shall not use comma as a separator. Enforce colon just like pam_pwhistory does as well. A comma can be part of a user name, although its usage is discouraged. If such a user exists, it could happen that stored passwords of another user are checked. Signed-off-by: Tobias Stoeckmann --- modules/pam_unix/passverify.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_unix/passverify.c') diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 426d4028..5c4f862e 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -730,7 +730,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, } for (; getline(&buf, &bufsize, opwfile) != -1; pam_overwrite_n(buf, bufsize)) { - if (!strncmp(buf, forwho, len) && strchr(":,\n", buf[len]) != NULL) { + if (!strncmp(buf, forwho, len) && strchr(":\n", buf[len]) != NULL) { char *ep, *sptr = NULL; long value; found = 1; @@ -752,7 +752,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, found = 0; continue; } - s_pas = strtok_r(NULL, ":", &sptr); + s_pas = strtok_r(NULL, "", &sptr); value = strtol(s_npas, &ep, 10); if (value < 0 || value >= INT_MAX || s_npas == ep || *ep != '\0') npas = 0; -- cgit v1.2.3