| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Each of these strings would previously rely on StringView's char const*
constructor overload, which would call __builtin_strlen on the string.
Since we now have operator ""sv, we can replace these with much simpler
versions. This opens the door to being able to remove
StringView(char const*).
No functional changes.
|
|
StringView was used where possible. Some utilities still use libc
functions which expect null-terminated strings, so String objects were
used there instead.
|
|
|
|
|
|
|
|
|
|
|
|
This matches the API of Account::authenticate. The only caller to this
API is the passwd utility, which already has the new password stored as
a SecretString.
|
|
To encourage users to use the SecretString API, change the API so that
Account::authenticate only accepts a SecretString.
|
|
We shouldn't let secrets sit around in memory, as they could potentially
be retrieved by an attacker, or left in memory during a core dump.
|
|
|
|
|
|
The user should use the delete flag when wanting to issue an empty
password. passwd should return an error after receiving empty input.
|
|
passwd should explicitly indicate the status of the password change.
|
|
Previously passwd would accept the first password input by the user. It
should ask the user to re-type the password to check for mismatches and
prevent typos in the password.
|
|
This changes passwd to authenticate non-root users before prompting for
new password.
|
|
|
|
SPDX License Identifiers are a more compact / standardized
way of representing file license information.
See: https://spdx.dev/resources/use/#identifiers
This was done with the `ambr` search and replace tool.
ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt *
|
|
We needed this for mkstemp() since it used lstat() internally. Now that
it only uses open(), we don't need to pledge "rpath".
|
|
|
|
Now that we've moved to atomic replacement of these files when altering
them, we don't need to keep them open for the lifetime of Core::Account
so just simplify this and close them when they are not needed.
|
|
Before this patch, we had a nasty race condition when changing a user's
password: there was a time window between truncating /etc/shadow and
writing out its new contents, where you could simply "su" to root
without using a password.
Instead of writing directly to /etc/passwd and /etc/shadow, we now
create temporary files in /etc and fill them with the new contents.
Those files are then atomically renamed to /etc/passwd and /etc/shadow.
Sadly, fixing this race requires giving the passwd program a lot more
privileges. This is something we can and should improve upon. :^)
|
|
|
