Merge pull request #10 from nikstur/libxcrypt

password: use libxcrypt instead of mkpasswd
nikstur · Oct 10, 2024 · e1d02ff · e1d02ff
2 parents 955575c + f335d25
commit e1d02ff
Show file tree

Hide file tree

Showing 9 changed files with 390 additions and 57 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.3.0 (unreleased)
+
+- Userborn now calls `libxcrypt` directly via the `xcrypt` crate instead of
+  shelling out to `mkpasswd`. This enables us to not change the password hash
+  when a plaintext password is provided. We now check whether the password from
+  the config matches the hashed password and then re-use the salt instead of
+  generating a new salt. Please note that this changes nothing about the
+  security posture of Userborn. If you provide a plaintext password to
+  Userborn, there is nothing Userborn can do to protect it from leaking.
+
 ## 0.2.0
 
 - /etc/{group,passwd,shadow} are now sorted by GID/UID. This follows the

diff --git a/README.md b/README.md
@@ -48,12 +48,6 @@ re-use is best illustrated by an example. Imagine the following scenario:
 
 ### Limitations to Nondestructivity
 
-- When you provide a plaintext password in the config (which you really
-  shouldn't!), the hashed password is updated each time userborn runs. This can
-  be fixed in the future by calling `crypt()` directly (and re-using the
-  previos salt) instead of running `mkpasswd` in a subprocess. However, the
-  security gains of this would be 0 (because the password is already available
-  in plaintext!) and it will only suppress a single log line.
 - Userborn can handle comments in the password database files but it will
   silently discard them.
 - Userborn will sort the password database files by GID/UID. This influences

diff --git a/nix/packages/default.nix b/nix/packages/default.nix
@@ -2,4 +2,6 @@
 
 {
   userborn = pkgs.callPackage ./userborn.nix { };
+  static = pkgs.pkgsStatic.callPackage ./userborn.nix { };
+  cross = pkgs.pkgsCross.aarch64-multiplatform.callPackage ./userborn.nix { };
 }
diff --git a/nix/packages/userborn.nix b/nix/packages/userborn.nix
@@ -1,8 +1,7 @@
 {
   lib,
   rustPlatform,
-  makeBinaryWrapper,
-  mkpasswd,
+  libxcrypt,
 }:
 
 let
@@ -22,15 +21,13 @@ rustPlatform.buildRustPackage {
     lockFile = ../../rust/userborn/Cargo.lock;
   };
 
-  nativeBuildInputs = [ makeBinaryWrapper ];
-
-  buildInputs = [ mkpasswd ];
-
-  nativeCheckInputs = [ mkpasswd ];
+  nativeBuildInputs = [
+    rustPlatform.bindgenHook
+  ];
 
-  postInstall = ''
-    wrapProgram $out/bin/userborn --prefix PATH : ${lib.makeBinPath [ mkpasswd ]}
-  '';
+  buildInputs = [
+    libxcrypt
+  ];
 
   stripAllList = [ "bin" ];
 

diff --git a/rust/userborn/Cargo.lock b/rust/userborn/Cargo.lock