Do NOT Use This Perl Module: Passwd::Unix

Posted by Artem Russakovskii on April 22nd, 2008 in Linux, Programming

Updated: April 29th, 2008

Hey there! If you are new here, you might want to subscribe to the RSS feed to stay up-to-date with all this techy nonsense.

Update: The author of the module contacted me the same day and promised to fix it in the next version. Version 0.40 was indeed on cpan as promised, but I haven't tested it yet.

Passwd::Unix will corrupt your /etc/shadow file and rearrange login names and their corresponding password hashes.

The current version of Passwd::Unix corrupted my /etc/shadow upon only
calling the passwd() function. Immediately users started to report not
being able to login.

After examining the situation, I found that Passwd::Unix rearranges all
users in /etc/shadow in some way, but it only does it to the
usernames, and not the password hashes. Thus, you will get corrupted accounts. Moreover,
users are now able to login to one OTHER account, not their own,
depending on how the usernames got shuffled.

Thankfully, I had a recent backup but I definitely don’t want anyone
else to suffer.

I’m using perl 5.10, SUSE 10.3. If it’s incompatible with SUSE, it needs
to say so and exit.

I've filed the bug here: http://rt.cpan.org/Public/Bug/Display.html?id=35323.

You have been warned.

● ● ●

Artem Russakovskii is a San Francisco programmer, blogger, and future millionaire (that last part is in the works). Follow Artem on Twitter (@ArtemR) or subscribe to the RSS feed.

In the meantime, if you found this article useful, feel free to buy me a cup of coffee below.

Tags: Linux, module, passwd, Perl, shadow, unix

3 Responses to “Do NOT Use This Perl Module: Passwd::Unix”

3 Comments:

joe says:

May 27, 2008 at 5:08 am

What have you used instead ?
Did you write your own ?

Reply
Artem Russakovskii says:

May 27, 2008 at 1:24 pm

joe, yeah, I ended up writing my own version which has worked well so far. If I were writing new code though, I would give Passwd::Unix another try since the author rewrote it after my bug report.

For reference, here's the code I've come up with:
1
system("echo '$username:$password' | chpasswd") && die "Oops, there was some error setting the password!";
Reply
Jason says:

February 9, 2009 at 10:53 pm

I'm using v0.40 Passwd::Unix qw(uid encpass passwd) without any problems.

I would recommend against using Artem's example of system("echo stuff | passwordprogram") since that will show up in the ps -eF output….

There are other methods open a pipe to a program where your password won't be viewable non-root users. In Perl you can use
open(HANDLE,">","|chpasswd") || die "$!\n"; print HANDLE "$username:$password";
In PHP you can use popoen() or proc_open()

Reply

beer planet