Only use /etc/shadow when crypt is "x"

Previously an entry in /etc/shadow would always be used in preference, which is not the documented behaviour of passwd(5) This also prevents login /etc/shadow lookup fails. Fixes #227 on github, reported by Paulo Cabral
mkj · Apr 4, 2024 · b085669 · b085669
1 parent 5a37e37
commit b085669
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/common-session.c b/src/common-session.c
@@ -653,10 +653,16 @@ void fill_passwd(const char* username) {
 	{
 		char *passwd_crypt = pw->pw_passwd;
 #ifdef HAVE_SHADOW_H
-		/* get the shadow password if possible */
-		struct spwd *spasswd = getspnam(ses.authstate.pw_name);
-		if (spasswd && spasswd->sp_pwdp) {
-			passwd_crypt = spasswd->sp_pwdp;
+		/* "x" for the passwd crypt indicates shadow should be used */
+		if (pw->pw_passwd && strcmp(pw->pw_passwd, "x") == 0) {
+			/* get the shadow password */
+			struct spwd *spasswd = getspnam(ses.authstate.pw_name);
+			if (spasswd && spasswd->sp_pwdp) {
+				passwd_crypt = spasswd->sp_pwdp;
+			} else {
+				/* Fail if missing in /etc/shadow */
+				passwd_crypt = "!!";
+			}
 		}
 #endif
 		if (!passwd_crypt) {