diff --git a/include/libbb.h b/include/libbb.h index 655ca01a5..e92dbc4c0 100644 --- a/include/libbb.h +++ b/include/libbb.h @@ -1032,6 +1032,9 @@ extern int restricted_shell(const char *shell); extern void setup_environment(const char *shell, int clear_env, int change_env, const struct passwd *pw); extern int correct_password(const struct passwd *pw); /* Returns a malloced string */ +#if !ENABLE_USE_BB_CRYPT +#define pw_encrypt(clear, salt, cleanup) pw_encrypt(clear, salt) +#endif extern char *pw_encrypt(const char *clear, const char *salt, int cleanup); extern int obscure(const char *old, const char *newval, const struct passwd *pwdp); /* rnd is additional random input. New one is returned. diff --git a/libbb/pw_encrypt.c b/libbb/pw_encrypt.c index 762cbab27..c1e927e23 100644 --- a/libbb/pw_encrypt.c +++ b/libbb/pw_encrypt.c @@ -9,6 +9,8 @@ #include "libbb.h" +#if ENABLE_USE_BB_CRYPT + /* * DES and MD5 crypt implementations are taken from uclibc. * They were modified to not use static buffers. @@ -69,3 +71,18 @@ char *pw_encrypt(const char *clear, const char *salt, int cleanup) return encrypted; } + +#else /* if !ENABLE_USE_BB_CRYPT */ + +char *pw_encrypt(const char *clear, const char *salt, int cleanup) +{ +#if 0 /* was CONFIG_FEATURE_SHA1_PASSWORDS, but there is no such thing??? */ + if (strncmp(salt, "$2$", 3) == 0) { + return xstrdup(sha1_crypt(clear)); + } +#endif + + return xstrdup(crypt(clear, salt)); +} + +#endif diff --git a/loginutils/Config.in b/loginutils/Config.in index c57d9976e..e39fb6f79 100644 --- a/loginutils/Config.in +++ b/loginutils/Config.in @@ -13,45 +13,67 @@ config FEATURE_SHADOWPASSWDS readable by root and thus the encrypted passwords are no longer publicly readable. +config USE_BB_PWD_GRP + bool "Use internal password and group functions rather than system functions" + default n + help + If you leave this disabled, busybox will use the system's password + and group functions. And if you are using the GNU C library + (glibc), you will then need to install the /etc/nsswitch.conf + configuration file and the required /lib/libnss_* libraries in + order for the password and group functions to work. This generally + makes your embedded system quite a bit larger. + + Enabling this option will cause busybox to directly access the + system's /etc/password, /etc/group files (and your system will be + smaller, and I will get fewer emails asking about how glibc NSS + works). When this option is enabled, you will not be able to use + PAM to access remote LDAP password servers and whatnot. And if you + want hostname resolution to work with glibc, you still need the + /lib/libnss_* libraries. + + If you need to use glibc's nsswitch.conf mechanism + (e.g. if user/group database is NOT stored in /etc/passwd etc), + you must NOT use this option. + + If you enable this option, it will add about 1.5k to busybox. + config USE_BB_SHADOW bool "Use busybox shadow password functions" default y depends on USE_BB_PWD_GRP && FEATURE_SHADOWPASSWDS help - If you leave this disabled, busybox will use the system's shadow - password handling functions. And if you are using the GNU C library - (glibc), you will then need to install the /etc/nsswitch.conf - configuration file and the required /lib/libnss_* libraries in - order for the shadow password functions to work. This generally - makes your embedded system quite a bit larger. + If you leave this disabled, busybox will use the system's shadow + password handling functions. And if you are using the GNU C library + (glibc), you will then need to install the /etc/nsswitch.conf + configuration file and the required /lib/libnss_* libraries in + order for the shadow password functions to work. This generally + makes your embedded system quite a bit larger. - Enabling this option will cause busybox to directly access the - system's /etc/shadow file when handling shadow passwords. This - makes your system smaller and I will get fewer emails asking about - how glibc NSS works). When this option is enabled, you will not be - able to use PAM to access shadow passwords from remote LDAP - password servers and whatnot. + Enabling this option will cause busybox to directly access the + system's /etc/shadow file when handling shadow passwords. This + makes your system smaller and I will get fewer emails asking about + how glibc NSS works). When this option is enabled, you will not be + able to use PAM to access shadow passwords from remote LDAP + password servers and whatnot. -config USE_BB_PWD_GRP - bool "Use internal password and group functions rather than system functions" - default n +config USE_BB_CRYPT + bool "Use internal DES and MD5 crypt functions rather than system functions" + default y help - If you leave this disabled, busybox will use the system's password - and group functions. And if you are using the GNU C library - (glibc), you will then need to install the /etc/nsswitch.conf - configuration file and the required /lib/libnss_* libraries in - order for the password and group functions to work. This generally - makes your embedded system quite a bit larger. + If you leave this disabled, busybox will use the system's password + and group functions. Most C libraries use large (~70k) + static buffers in these functions, and also combine them + with more general DES encryption/decryption routines. + For busybox, having large static buffers is undesirable, + especially so on NOMMU machines. - Enabling this option will cause busybox to directly access the - system's /etc/password, /etc/group files (and your system will be - smaller, and I will get fewer emails asking about how glibc NSS - works). When this option is enabled, you will not be able to use - PAM to access remote LDAP password servers and whatnot. And if you - want hostname resolution to work with glibc, you still need the - /lib/libnss_* libraries. + These functions produce results which are identical + to corresponding C library functions. - If you enable this option, it will add about 1.5k to busybox. + If you enable this option, it will add about 4.8k to busybox + if you are building dynamically linked executable. + In static build, it makes executable _smaller_ by about 1.2k. config ADDGROUP bool "addgroup" @@ -255,4 +277,3 @@ config VLOCK work properly. endmenu -