Issue 36997: Document that spwd is considered harmful

Created on 2019-05-21 17:00 by christian.heimes, last changed 2022-04-11 14:59 by admin.

Messages (3)
msg343072 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2019-05-21 17:00
The spwd module has several flaws. Especially the combination of spwd and crypt for password verification is dangerous and in almost all cases technically wrong. # don't do this! pw1 = spwd.getspnam(username).sp_pwd pw2 = crypt.crypt(password, pw1) if pw1 == pw2: ... On BSD, Linux, and macOS, account and credential verification must go through PAM. Also see: https://mail.python.org/pipermail/python-dev/2019-May/157562.html https://mail.python.org/pipermail/python-dev/2019-May/157564.html
msg343122 - (view)	Author: STINNER Victor (vstinner) *	Date: 2019-05-21 22:51
"... must go through PAM." Do you have a Python module to recommend to access PAM API?
msg343145 - (view)	Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) *	Date: 2019-05-22 04:36
> On BSD, Linux, and macOS, account and credential verification must go through PAM. At least the part about Linux is not entirely true. If PAM is installed and used, then account and credential verification should probably go through PAM, but system administrator is free to decide to not install PAM at all. Perhaps some Linux distributions like Red Hat and Fedora do not support PAM-free systems, but Gentoo certainly supports PAM-free systems (support for PAM is enabled by default in Gentoo, but is not enforced).

History
Date	User	Action	Args
2022-04-11 14:59:15	admin	set	github: 81178
2021-03-31 20:00:15	christian.heimes	set	priority: high -> normal type: security -> enhancement versions: + Python 3.10, - Python 2.7, Python 3.7
2019-05-22 04:36:21	Arfrever	set	nosy: + Arfrever messages: + msg343145
2019-05-22 02:10:54	giampaolo.rodola	set	nosy: + giampaolo.rodola
2019-05-21 22:51:10	vstinner	set	messages: + msg343122
2019-05-21 22:50:39	vstinner	set	nosy: + vstinner
2019-05-21 17:00:09	christian.heimes	create