Bug in shadow system (OBSCURE off)

[Geoff Scully]

There is a bug in the recently distributed shadow passwd routines which
causes a compilation error if OBSCURE is undefined. It stems from the
fact that the variable  force  is declared in pmain.c as an int within an
#ifdef OBSCURE but the variable is referenced in 2 places in the program
regardless of the define of OBSCURE.

The first occurs at line 81 and is trivial to fix by putting it in an 
#ifdef.

	amroot = getuid () == 0;	/* currently am super user */
	if (! amroot)
		force = 0;

should be...

	amroot = getuid () == 0;	/* currently am super user */
#ifdef	OBSCURE
	if (! amroot)
		force = 0;
#endif

However the obscure[sic] nature of the second instance at line 142 makes
it somewhat harder to decide what to do:

	if (!force && ! obscure ()) {
#ifdef	OBSCURE
		puts ("Password not changed.");
		exit (1);
#else
		if (retries-- > 0) {
			puts ("Please try again.");
			goto retry;
		} else
			goto toomany;
#endif
	}

The reference to force is outside the #ifdef and what is happening inside
does not make sense to me. I thought that if OBSCURE was enabled the
proper action on finding inadequate obscurity was to ask for another
passwd but the way this is set up it would seem it exits. I replaced this
section with the following code segment, which seems to be more like the
expected behavior.

#ifdef	OBSCURE
	if (!force && ! obscure ()) {
		if (retries-- > 0) {
			puts ("Please try again.");
			goto retry;
		} else
			goto toomany;
	}
#endif

Any comments on what this should be John?

--------
  Geoff Scully                                
  Internet: gws at egvideo.UUCP              UUCP: ..!{uunet!}watmath!egvideo!gws