user-util: add generic definition for special password hash values in /etc/passwd + /etc/shadow

Let's add three defines for the 3 special cases of passwords.

Some of our tools used different values for the "locked"/"invalid" case,
let's settle on using "!*" which means the password is both locked *and*
invalid.

Other tools like to use "!!" for this case, which however is less than
ideal I think, since the this could also be a considered an entry with
an empty password, that can be enabled again by unlocking it twice.

(cherry picked from commit 53c25ac968ab8b868506c3a1820d8c76beb0cd88)

5 files changed, 24 insertions, 14 deletions

diff --git a/src/basic/user-util.h b/src/basic/user-util.h
index 20ff415e2e..2ac9166c07 100644
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@@ -109,3 +109,12 @@ int putsgent_sane(const struct sgrp *sg, FILE *stream);
 #endif
 
 bool is_nologin_shell(const char *shell);
+
+/* A locked *and* invalid password for "struct spwd"'s .sp_pwdp and "struct passwd"'s .pw_passwd field */
+#define PASSWORD_LOCKED_AND_INVALID "!*"
+
+/* A password indicating "look in shadow file, please!" for "struct passwd"'s .pw_passwd */
+#define PASSWORD_SEE_SHADOW "x"
+
+/* A password indicating "hey, no password required for login" */
+#define PASSWORD_NONE ""
diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
index 8e3028717e..89049a6daa 100644
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@@ -860,20 +860,20 @@ static int process_root_args(void) {
                 return r;
 
         if (arg_root_password && arg_root_password_is_hashed) {
-                password = "x";
+                password = PASSWORD_SEE_SHADOW;
                 hashed_password = arg_root_password;
         } else if (arg_root_password) {
                 r = hash_password(arg_root_password, &_hashed_password);
                 if (r < 0)
                         return log_error_errno(r, "Failed to hash password: %m");
 
-                password = "x";
+                password = PASSWORD_SEE_SHADOW;
                 hashed_password = _hashed_password;
 
         } else if (arg_delete_root_password)
-                password = hashed_password = "";
+                password = hashed_password = PASSWORD_NONE;
         else
-                password = hashed_password = "!";
+                password = hashed_password = PASSWORD_LOCKED_AND_INVALID;
 
         r = write_root_passwd(etc_passwd, password, arg_root_shell);
         if (r < 0)
diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c
index 84f94f500f..3ac57441d9 100644
--- a/src/nss-systemd/nss-systemd.c
+++ b/src/nss-systemd/nss-systemd.c
@@ -20,7 +20,7 @@
 
 static const struct passwd root_passwd = {
         .pw_name = (char*) "root",
-        .pw_passwd = (char*) "x", /* see shadow file */
+        .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
         .pw_uid = 0,
         .pw_gid = 0,
         .pw_gecos = (char*) "Super User",
@@ -30,7 +30,7 @@ static const struct passwd root_passwd = {
 
 static const struct passwd nobody_passwd = {
         .pw_name = (char*) NOBODY_USER_NAME,
-        .pw_passwd = (char*) "*", /* locked */
+        .pw_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
         .pw_uid = UID_NOBODY,
         .pw_gid = GID_NOBODY,
         .pw_gecos = (char*) "User Nobody",
@@ -41,14 +41,14 @@ static const struct passwd nobody_passwd = {
 static const struct group root_group = {
         .gr_name = (char*) "root",
         .gr_gid = 0,
-        .gr_passwd = (char*) "x", /* see shadow file */
+        .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
         .gr_mem = (char*[]) { NULL },
 };
 
 static const struct group nobody_group = {
         .gr_name = (char*) NOBODY_GROUP_NAME,
         .gr_gid = GID_NOBODY,
-        .gr_passwd = (char*) "*", /* locked */
+        .gr_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
         .gr_mem = (char*[]) { NULL },
 };
 
diff --git a/src/nss-systemd/userdb-glue.c b/src/nss-systemd/userdb-glue.c
index 8ad7ef608e..8f8988579b 100644
--- a/src/nss-systemd/userdb-glue.c
+++ b/src/nss-systemd/userdb-glue.c
@@ -6,6 +6,7 @@
 #include "strv.h"
 #include "user-record-nss.h"
 #include "user-record.h"
+#include "user-util.h"
 #include "userdb-glue.h"
 #include "userdb.h"
 
@@ -50,7 +51,7 @@ int nss_pack_user_record(
                 .pw_name = buffer,
                 .pw_uid = hr->uid,
                 .pw_gid = user_record_gid(hr),
-                .pw_passwd = (char*) "x", /* means: see shadow file */
+                .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
         };
 
         assert(buffer);
@@ -184,7 +185,7 @@ int nss_pack_group_record(
         *gr = (struct group) {
                 .gr_name = strcpy(p, g->group_name),
                 .gr_gid = g->gid,
-                .gr_passwd = (char*) "x", /* means: see shadow file */
+                .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
                 .gr_mem = array,
         };
 
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 307daea574..e77706d5ae 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -440,7 +440,7 @@ static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char
                         .pw_gecos = i->description,
 
                         /* "x" means the password is stored in the shadow file */
-                        .pw_passwd = (char*) "x",
+                        .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
 
                         /* We default to the root directory as home */
                         .pw_dir = i->home ?: (char*) "/",
@@ -536,7 +536,7 @@ static int write_temporary_shadow(const char *shadow_path, FILE **tmpfile, char
         ORDERED_HASHMAP_FOREACH(i, todo_uids) {
                 struct spwd n = {
                         .sp_namp = i->name,
-                        .sp_pwdp = (char*) "!*", /* lock this password, and make it invalid */
+                        .sp_pwdp = (char*) PASSWORD_LOCKED_AND_INVALID,
                         .sp_lstchg = lstchg,
                         .sp_min = -1,
                         .sp_max = -1,
@@ -639,7 +639,7 @@ static int write_temporary_group(const char *group_path, FILE **tmpfile, char **
                 struct group n = {
                         .gr_name = i->name,
                         .gr_gid = i->gid,
-                        .gr_passwd = (char*) "x",
+                        .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
                 };
 
                 r = putgrent_with_members(&n, group);
@@ -723,7 +723,7 @@ static int write_temporary_gshadow(const char * gshadow_path, FILE **tmpfile, ch
         ORDERED_HASHMAP_FOREACH(i, todo_gids) {
                 struct sgrp n = {
                         .sg_namp = i->name,
-                        .sg_passwd = (char*) "!*",
+                        .sg_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
                 };
 
                 r = putsgent_with_members(&n, gshadow);