Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Jun 2003 11:52:33 +0900 (JST)
From:      Hideki SAKAMOTO <sakamoto@hlla.is.tsukuba.ac.jp>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/53434: pw disallow a password including space.
Message-ID:  <200306160252.h5G2qXZh033094@hroptr.secup.is.tsukuba.ac.jp>
Resent-Message-ID: <200306180640.h5I6eBIZ087547@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         53434
>Category:       bin
>Synopsis:       pw disallow a password including space.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 17 23:40:11 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Hideki SAKAMOTO
>Release:        FreeBSD 4.7-RELEASE-p10 i386
>Organization:
HLLA Lab, Univ. of Tsukuba, Japan
>Environment:
System: FreeBSD xxx.xxx 4.7-RELEASE-p10 FreeBSD 4.7-RELEASE-p10 #5: Mon Mar 31 18:49:11 JST 2003 xxx.xxx:/usr/obj/usr/src/sys/XXXXX i386


>Description:
	pw command cutoff a password at first space character(space or tab),
	though passwd command allow a password including these space chars.
>How-To-Repeat:
	# echo "space space space" | /usr/sbin/pw useradd testuser -m -h 0 
	# su - testuser
	$ passwd testuser
	Changing local password for testuser.
	Old password: <input "space space space">
	passwd: Permission denied
	passwd: /etc/master.passwd: unchanged
	$ passwd testuser
	Changing local password for testuser.
	Old password: <input "space">
	New password: <input "space space space">
	Retype new password: <input "space space space">
	passwd: updating the database...
	passwd: done
	$

>Fix:
	apply this patch to /usr/src/usr.sbin/pw/pw_user.c


*** pw_user.c.old	Mon Jun 16 11:22:01 2003
--- pw_user.c	Mon Jun 16 11:22:15 2003
***************
*** 639,645 ****
  				return EX_IOERR;
  			}
  			line[b] = '\0';
! 			if ((p = strpbrk(line, " \t\r\n")) != NULL)
  				*p = '\0';
  			if (!*line)
  				errx(EX_DATAERR, "empty password read on file descriptor %d", fd);
--- 639,645 ----
  				return EX_IOERR;
  			}
  			line[b] = '\0';
! 			if ((p = strpbrk(line, "\r\n")) != NULL)
  				*p = '\0';
  			if (!*line)
  				errx(EX_DATAERR, "empty password read on file descriptor %d", fd);
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306160252.h5G2qXZh033094>