Solar Designer wrote:
> [ I've added the security-audit list to the CC:, as most of my
> answers are to security-related questions. ]
>
> > 1.c. It will be nice if we can determine _why_ shadow entry unavailable.
> > If getspnam() returns NULL, what a cause? Maybe it just does not
> > exists,
>
> Yes, and the same applies to other get{pw,sp}* functions. In
> particular, don't repeat the mistake of pam_unix and libpwdb where
> they assume that a NULL return from fgetpwent() and fgets() means
> EOF. Both can lose data when updating the password file.
>
> I have a patch for this (and other potential issues) for libpwdb, it
> is to use ferror() after fgets(). I'm afraid there's no portable
> solution for the case of using fgetpwnam(), so you should probably
> avoid it when re-writing the password file.
>
I would like to know where to obtain this patch for libpwdb. Excuse me if the
info I am looking for is obvious, I am new to this mail-list.
Thanks
___
Pete O'Hara
