From af8dc4373b25cce2c0bbb80f24e791f99eccbb6f Mon Sep 17 00:00:00 2001 From: John Sonnenschein Date: Sun, 2 Oct 2011 03:36:04 -0400 Subject: 1556 no reason why passwd -e should be disallowed on FILES repo Reviewed by: Richard Lowe Reviewed by: Dan McDonald Approved by: Richard Lowe --- usr/src/cmd/passwd/passwd.c | 8 -------- usr/src/man/man1/passwd.1 | 10 +++++++--- 2 files changed, 7 insertions(+), 11 deletions(-) (limited to 'usr/src') diff --git a/usr/src/cmd/passwd/passwd.c b/usr/src/cmd/passwd/passwd.c index e155f357f1..851de6f237 100644 --- a/usr/src/cmd/passwd/passwd.c +++ b/usr/src/cmd/passwd/passwd.c @@ -1066,14 +1066,6 @@ ckarg(int argc, char **argv, attrlist **attributes) if (repository.type == NULL) repository = __REPFILES; - /* - * Only privileged process can execute this - * for FILES - */ - if (IS_FILES(repository) && (ckuid() != SUCCESS)) { - retval = NOPERM; - return (FAIL); - } if (flag & (EFLAG|SAFLAG|AGEFLAG)) { retval = BADOPT; return (FAIL); diff --git a/usr/src/man/man1/passwd.1 b/usr/src/man/man1/passwd.1 index d7735ddf0f..c58f6e592b 100644 --- a/usr/src/man/man1/passwd.1 +++ b/usr/src/man/man1/passwd.1 @@ -439,9 +439,7 @@ returned by \fBdomainname\fR(1M). .ad .RS 17n .rt -Changes the login shell. For the \fBfiles\fR repository, this only works for -the superuser. Normal users can change the \fBldap\fR, \fBnis\fR, or -\fBnisplus\fR repositories. The choice of shell is limited by the requirements +Changes the login shell. The choice of shell is limited by the requirements of \fBgetusershell\fR(3C). If the user currently has a shell that is not allowed by \fBgetusershell\fR, only root can change it. .RE @@ -1200,6 +1198,12 @@ Changing a password reactivates an account deactivated for inactivity for the length of the inactivity period. .sp .LP +If \fB/etc/shells\fR is present, and is corrupted, it may provide an attack +vector that would compromise the system. The \fBgetusershell\fR(3c) library +call has a pre-vetted list of shells, so /etc/shells should be used with +caution. +.sp +.LP Input terminal processing might interpret some key sequences and not pass them to the \fBpasswd\fR command. .sp -- cgit v1.2.3