1> When i ran the command "ls /etc | sh", root password becomes empty. Using busybox-1.18.5. As of i know this passwd command changing busybox password.
2> So, my point here is about to solve the "ls /etc |sh" should not make the root password empty.

Output:
~ # ls /etc | sh
Changing password for root
New password:
Bad password: too short
Retype password:
Password for root changed by root

Here root password is empty now.

Where is this information coming from?

When enter the command passwd --help.
~ # passwd --help
BusyBox v1.18.5 (2016-08-18 19:07:10 IST) multi-call binary.

the method you mentioned is not printed here.

~ # ls /etc | sh
This command making root password becomes empty.

~ # passwd --hlep
passwd: unrecognized option `--hlep'
BusyBox v1.18.5 (2016-08-18 19:07:10 IST) multi-call binary.

Usage: passwd [OPTIONS] [USER]

Change USER's password. If no USER is specified,
changes the password for the current user.

Options:
-a ALG Algorithm to use for password (des, md5)
-d Delete password for the account
-l Lock (disable) account
-u Unlock (re-enable) account


My intention is to say this passwd command is busybox command.
But main issue is with "ls /etc | sh" command.

where is this information coming from?

Executed this command in the shell of my linux box.

accidentally/occasionally it may work, but I think it is not recommended at all.

What is the issue you want to discuss?

"ls /etc | sh" executed in shell.

The files under /etc directory is piped to sh. passwd file also present under the /etc directory.

Whenever the passwd file is piping to sh, sh treating that as a command, only when we have passwd command under /usr/bin.

So, shell executing that command and providing some input to passwd command, then making password empty.

i don't want to shell making password empty.

so do not execute that command

2 members found this post helpful.

Thanks,

we are using the cli in my product to execute the commands,

We have an option that we can execute shell commands from cli, so that time if anybody uses this command from cli my root password will becomes empty.

Then my box is open to that guy.

So, requires fix.

And one more thing, same command executed in the ubuntu system it is not allowing shell to change password.

Output on ubuntu:
# ls /etc | sh
Enter new UNIX password: Retype new UNIX password: passwd: Authentication token manipulation error
passwd: password unchanged

Only root allowed to change the root password and you cannot restrict root anyway. So he/she will be able to execute passwd -d and therefore will be able to set passwd to ''.
The result of ls /etc depends on the host itself (content of /etc), therefore ls /etc | sh may or may not change password (see post #8).

It is always changing the root password, i need to solve this bug.
Thanks for you discussion.

this is not a bug, you cannot solve it.

But this is vulnerability to the product. So, should have some fix.

Is there any possibility to make filesystem read only when we are executing this command.

And is there any possibility to catch shell inputs from the code point of view.