From 9bee0a595d55ece184891c42dbf10cdcd92e4023 Mon Sep 17 00:00:00 2001
From: des <des@FreeBSD.org>
Date: Thu, 24 Apr 2003 12:26:25 +0000
Subject: Remove a bogus null password check which assumed that a user with an
 empty password must necessarily have an empty pwd->pw_passwd.  Also add a
 check that prevents users from setting a blank password unless the nullok
 option was specified.  Root is still allowed to give anyone a blank password.

---
 lib/libpam/modules/pam_unix/pam_unix.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index de7dcc8..afceb0e 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -337,8 +337,10 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 		PAM_LOG("Got old password");
 		/* always encrypt first */
 		encrypted = crypt(old_pass, pwd->pw_passwd);
-		if ((old_pass[0] == '\0' && pwd->pw_passwd[0] != '\0') ||
-		    strcmp(encrypted, pwd->pw_passwd) != 0)
+		if (old_pass[0] == '\0' &&
+		    !pam_test_option(&options, PAM_OPT_NULLOK, NULL))
+			return (PAM_PERM_DENIED);
+		if (strcmp(encrypted, pwd->pw_passwd) != 0)
 			return (PAM_PERM_DENIED);
 	}
 	else if (flags & PAM_UPDATE_AUTHTOK) {
@@ -364,6 +366,10 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
 			return (retval);
 		}
 
+		if (getuid() != 0 && new_pass[0] == '\0' &&
+		    !pam_test_option(&options, PAM_OPT_NULLOK, NULL))
+			return (PAM_PERM_DENIED);
+
 		if ((old_pwd = pw_dup(pwd)) == NULL)
 			return (PAM_BUF_ERR);
 
-- 
cgit v1.1