summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorMichal Zidek <mzidek@redhat.com>2012-10-01 18:08:36 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-10-03 20:25:09 +0200
commit2be3f0fb6f38042386975111a1e86e7b5850ac85 (patch)
tree1b3284452fefcb36d5be8df49264984086e5efed /src
parent799f04e2ccd434ea51e5c7f59c5d83210c220c90 (diff)
downloadsssd-2be3f0fb6f38042386975111a1e86e7b5850ac85.tar.gz
sssd-2be3f0fb6f38042386975111a1e86e7b5850ac85.tar.bz2
sssd-2be3f0fb6f38042386975111a1e86e7b5850ac85.zip
sss_seed: Make only first line of password file valid.
When file is used to specify a password in sss_seed, then only first line of this file is used. Also empty passwords are treated as errors. https://fedorahosted.org/sssd/ticket/1548
Diffstat (limited to 'src')
-rw-r--r--src/tools/sss_seed.c36
1 files changed, 36 insertions, 0 deletions
diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c
index bcb260a1..9b8f69b1 100644
--- a/src/tools/sss_seed.c
+++ b/src/tools/sss_seed.c
@@ -196,6 +196,14 @@ static int seed_password_input_prompt(TALLOC_CTX *mem_ctx, char **_password)
ret = EINVAL;
goto done;
}
+
+ /* Do not allow empty passwords */
+ if (strlen(temp) == 0) {
+ ERROR("Empty passwords are not allowed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
password = talloc_strdup(tmp_ctx, temp);
if (password == NULL) {
ret = ENOMEM;
@@ -235,6 +243,8 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx,
uint8_t buf[PASS_MAX+1];
int fd = -1;
int ret = EOK;
+ int valid_i;
+ int i;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -266,6 +276,32 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx,
close(fd);
buf[len] = '\0';
+ /* Only the first line is valid (without '\n'). */
+ for (valid_i = -1; valid_i + 1 < len; valid_i++) {
+ if (buf[valid_i + 1] == '\n') {
+ buf[valid_i + 1] = '\0';
+ break;
+ }
+ }
+
+ /* Do not allow empty passwords. */
+ if (valid_i < 0) {
+ ERROR("Empty passwords are not allowed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ /* valid_i is the last valid index of the password followed by \0.
+ * If characters other than \n occur int the rest of the file, it
+ * is an error. */
+ for (i = valid_i + 2; i < len; i++) {
+ if (buf[i] != '\n') {
+ ERROR("Multi-line passwords are not allowed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
password = talloc_strdup(tmp_ctx, (char *)buf);
if (password == NULL) {
ret = ENOMEM;