Do NOT Use This Perl Module: Passwd::Unix

Posted by Artem Russakovskii on April 22nd, 2008 in Linux, Programming

Updated: April 29th, 2008

Update: The author of the module contacted me the same day and promised to fix it in the next version. Version 0.40 was indeed on cpan as promised, but I haven't tested it yet.

Passwd::Unix will corrupt your /etc/shadow file and rearrange login names and their corresponding password hashes.

The current version of Passwd::Unix corrupted my /etc/shadow upon only
calling the passwd() function. Immediately users started to report not
being able to login.

After examining the situation, I found that Passwd::Unix rearranges all
users in /etc/shadow in some way, but it only does it to the
usernames, and not the password hashes. Thus, you will get corrupted accounts. Moreover,
users are now able to login to one OTHER account, not their own,
depending on how the usernames got shuffled.

Thankfully, I had a recent backup but I definitely don’t want anyone
else to suffer.

I’m using perl 5.10, SUSE 10.3. If it’s incompatible with SUSE, it needs
to say so and exit.

I've filed the bug here: http://rt.cpan.org/Public/Bug/Display.html?id=35323.

You have been warned.

● ● ●

Artem Russakovskii is a San Francisco programmer, blogger, and future millionaire (that last part is in the works). Follow Artem on Twitter (@ArtemR) or subscribe to the RSS feed.

In the meantime, if you found this article useful, feel free to buy me a cup of coffee below.

  • joe

    What have you used instead ?
    Did you write your own ?

  • http://beerpla.net Artem Russakovskii

    joe, yeah, I ended up writing my own version which has worked well so far. If I were writing new code though, I would give Passwd::Unix another try since the author rewrote it after my bug report.

    For reference, here's the code I've come up with:

    system("echo '$username:$password' | chpasswd") && die "Oops, there was some error setting the password!";
  • http://nssadoc.blogspot.com Jason

    I'm using v0.40 Passwd::Unix qw(uid encpass passwd) without any problems.

    I would recommend against using Artem's example of system("echo stuff | passwordprogram") since that will show up in the ps -eF output….

    There are other methods open a pipe to a program where your password won't be viewable non-root users. In Perl you can use

    open(HANDLE,">","|chpasswd") || die "$!\n";
    print HANDLE "$username:$password";

    In PHP you can use popoen() or proc_open()

  • philip hamrick

    Timely discussion , I Appreciate the specifics , Does someone know where I could possibly get access to a sample a form example to type on ?