From: Nate Eldredge <neldredgeat_private> > What's wrong with just using `strcmp' (i.e. no constraint at all)? After > all, what you want to know is just whether the two strings are identical, > period. And unless crypt() and /etc/shadow are both broken, it will stop > at the right place. I realize it goes against the reflexive "only strn* > functions are safe" idea, but that shouldn't substitute for thinking... strcmp() with one argument as a crypt() output would be OK provided any password aging information had first been removed from the field in the comparison. Code to detect accounts without passwords ought to check this too as "::" is not the only value that is open to all. "Essential System Administration" 2nd Edition by Frisch falls down here on p344. -- ############################################################## # Antonomasia ant notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ##############################################################
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 15:01:39 PDT