summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2017-06-20 10:57:47 -0400
committerJoey Hess2017-06-20 10:57:47 -0400
commitb79f9d9539ea7a6d97bd259c0ecfa2f45cb1d9c8 (patch)
tree2eefbe80ab8f683b6b28078c2de72f56b025f9b8
parent727e7f8224f62f338db378852f5da478696da260 (diff)
User.hasInsecurePassword makes sure shadow passwords are enabled
So if the insecure password is later changed, the new password won't be exposed.
-rw-r--r--debian/changelog8
-rw-r--r--src/Propellor/Property/User.hs8
2 files changed, 14 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog
index b6436d2c..12d88b96 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+propellor (4.0.7) UNRELEASED; urgency=medium
+
+ * User.hasInsecurePassword makes sure shadow passwords are enabled,
+ so if the insecure password is later changed, the new password won't be
+ exposed.
+
+ -- Joey Hess <id@joeyh.name> Tue, 20 Jun 2017 10:55:37 -0400
+
propellor (4.0.6) unstable; urgency=medium
* Fix bug that sometimes made --spin fail with
diff --git a/src/Propellor/Property/User.hs b/src/Propellor/Property/User.hs
index 0c7e48f2..ce2611bc 100644
--- a/src/Propellor/Property/User.hs
+++ b/src/Propellor/Property/User.hs
@@ -97,8 +97,12 @@ setPassword getpassword = getpassword $ go
-- | Makes a user's password be the passed String. Highly insecure:
-- The password is right there in your config file for anyone to see!
hasInsecurePassword :: User -> String -> Property DebianLike
-hasInsecurePassword u@(User n) p = property (n ++ " has insecure password") $
- chpasswd u p []
+hasInsecurePassword u@(User n) p = go
+ `requires` shadowConfig True
+ where
+ go :: Property DebianLike
+ go = property (n ++ " has insecure password") $
+ chpasswd u p []
chpasswd :: User -> String -> [String] -> Propellor Result
chpasswd (User user) v ps = makeChange $ withHandle StdinHandle createProcessSuccess