From b79f9d9539ea7a6d97bd259c0ecfa2f45cb1d9c8 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 20 Jun 2017 10:57:47 -0400 Subject: User.hasInsecurePassword makes sure shadow passwords are enabled So if the insecure password is later changed, the new password won't be exposed. --- src/Propellor/Property/User.hs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'src/Propellor') diff --git a/src/Propellor/Property/User.hs b/src/Propellor/Property/User.hs index 0c7e48f2..ce2611bc 100644 --- a/src/Propellor/Property/User.hs +++ b/src/Propellor/Property/User.hs @@ -97,8 +97,12 @@ setPassword getpassword = getpassword $ go -- | Makes a user's password be the passed String. Highly insecure: -- The password is right there in your config file for anyone to see! hasInsecurePassword :: User -> String -> Property DebianLike -hasInsecurePassword u@(User n) p = property (n ++ " has insecure password") $ - chpasswd u p [] +hasInsecurePassword u@(User n) p = go + `requires` shadowConfig True + where + go :: Property DebianLike + go = property (n ++ " has insecure password") $ + chpasswd u p [] chpasswd :: User -> String -> [String] -> Propellor Result chpasswd (User user) v ps = makeChange $ withHandle StdinHandle createProcessSuccess -- cgit v1.2.3