newusers: allow not passing a password #1341
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
For consistency with the handling of the rest of the fields, it seems appropriate, as we already keep the other fields intact if they're passed empty to newusers(8). What's the current behavior? Is it rejected, or is the password removed (so, passwordless user)? |
|
What's the current behavior? Is it rejected, or is the password
removed (so, passwordless user)?
It fails like this:
```
$ echo foobar:::::/tmp:/bin/bash | sudo newusers
No password has been supplied.
No password has been supplied.
No password has been supplied.
newusers: (user foobar) pam_chauthtok() failed, error:
Authentication token manipulation error
newusers: (line 1, user foobar) password not changed
```
The use entry *is* created in /etc/passwd, but the account cannot be
logged into because there is no password. root can sudo into it.
|
terceiro
force-pushed
the
newusers-empty-password
branch
from
2e111f1 to
113a0ec
Compare
|
I have pushd an updated patch addressing your comments. Thanks for the review! |
hallyn
reviewed
Aug 25, 2025
terceiro
force-pushed
the
newusers-empty-password
branch
from
113a0ec to
118ccd3
Compare
|
On Mon, Aug 25, 2025 at 11:14:41AM -0700, Serge Hallyn wrote:
@hallyn commented on this pull request.
Sorry, can you explain exactly how you would use this to add subuids?
```
$ echo username:::::: | newusers
```
> @@ -107,8 +107,8 @@
</term>
<listitem>
<para>
- This field will be encrypted and used as the new value of the
- encrypted password.
+ If this field it not empty, it will be encrypted and used as the new
trivial typo: if this field *is* not empty
Thanks, fixed.
|
|
Oh, not a specific range. Got it. |
A possible use case for this is wanting to add subuid/subgid entries for an existing user. This change makes it possible to pass `username::::::` to newusers; the empty password will be ignored an everything else will be done. Currently this fails miserably, as PAM errors out on a empty password. Signed-off-by: Antonio Terceiro <[email protected]>
terceiro
force-pushed
the
newusers-empty-password
branch
from
118ccd3 to
3488ce6
Compare
alejandro-colomar
approved these changes
Aug 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A possible use case for this is wanting to add subuid/subgid entries for an existing user. This change makes it possible to pass
username::::::to newusers; the empty password will be ignored an everything else will be done. Currently this fails miserably, as PAM errors out on a empty password.