netbsd-users: Re: Changing user passwd thru a program

Subject: Re: Changing user passwd thru a program
To: Sumeet Malhotra <smalhotra@rhapsodynetworks.com>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 04/17/2002 13:30:29

In message <45BEF1D68145D51186C100B0D0AABE659FEB1D@med.corp.rhapsodynetworks.co
m>, Sumeet Malhotra writes:
>Hi all,
>
>I'm trying to write an API to provide user passwd change facility. It should
>work exactly the same way a normal "passwd" program works, except that it
>takes the 3 arguments - username, oldpass and newpass as function args.
>
>I modelled the program exactly on the lines of the NetBSD passwd source
>code, but the program fails when trying to compare the oldpass with the
>existing one in the /etc/passwd file. The code to compare the oldpass with
>existing one is :
>
>if (strcmp(crypt(oldpw, pw->pw_passwd), pw->pw_passwd) != 0)
>        return ACCESS_DENIED;
>
>Here pw->pw_passwd is the password entry from /etc/passwd file.
>
>The /etc/passwd file uses "*" as the passwd entries which means that the
>passwords are to be looked up somewhere else (possibly master.passwd file?).
>The string compare tries to compare the encrypted password with "*" and
>fails.
>

See getpwent(3) -- unless you're running as root, you get the '*'.  If 
you are running as root, you get the real hashed password.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com