passwd - lets root password unset
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shadow (Debian) |
Fix Released
|
Unknown
|
|||
shadow (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #260799 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Thu, 22 Jul 2004 11:39:05 +0200
From: Bastian Blank <email address hidden>
To: <email address hidden>
Subject: passwd - lets root password unset
--DBIVS5p969aUjpLe
Content-Type: text/plain; charset=utf-8
Content-
Content-
Package: passwd
Version: 1:4.0.3-29.1
Severity: critical
passwd config script lets the root password unset if a user entry in the
/etc/passwd or /etc/shadow file matches the string "root" and have a
password.
The right check for the root user is "^root:".
Bastian
--=20
Only a fool fights in a burning house.
-- Kank the Klingon, "Day of the Dove", stardate unknown
--DBIVS5p969aUjpLe
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iEYEARECAAYFAkD
0jIAn3U8J57mQ/
=Hl05
-----END PGP SIGNATURE-----
--DBIVS5p969aUj
In Debian Bug tracker #260799, Karl Ramm (kcr) wrote : Re: Bug#260799: passwd - lets root password unset | #3 |
Are you saying that it unsets the root password, or that it never asks, or
that it just lets you set it to nothing?
kcr
Bastian Blank <email address hidden> writes:
> Package: passwd
> Version: 1:4.0.3-29.1
> Severity: critical
>
> passwd config script lets the root password unset if a user entry in the
> /etc/passwd or /etc/shadow file matches the string "root" and have a
> password.
>
> The right check for the root user is "^root:".
>
> Bastian
>
> --
> Only a fool fights in a burning house.
> -- Kank the Klingon, "Day of the Dove", stardate unknown
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: 22 Jul 2004 18:04:39 -0400
From: <email address hidden>
To: Bastian Blank <email address hidden>, <email address hidden>
Subject: Re: Bug#260799: passwd - lets root password unset
Are you saying that it unsets the root password, or that it never asks, or
that it just lets you set it to nothing?
kcr
Bastian Blank <email address hidden> writes:
> Package: passwd
> Version: 1:4.0.3-29.1
> Severity: critical
>
> passwd config script lets the root password unset if a user entry in the
> /etc/passwd or /etc/shadow file matches the string "root" and have a
> password.
>
> The right check for the root user is "^root:".
>
> Bastian
>
> --
> Only a fool fights in a burning house.
> -- Kank the Klingon, "Day of the Dove", stardate unknown
In Debian Bug tracker #260799, Javier Fernández-Sanguino (jfs) wrote : Clarification and patch for this bug | #5 |
tags 260799 patch
thanks
I believe the reporter suggests that, the way the check for root's password
is done, it will not prompt for a password if you have a user with a 'root'
substring (for example 'joeroot') which does have a password.
The attached patch for debian/
better.
Regards
Javier
In Debian Bug tracker #260799, Matt Zimmerman (mdz) wrote : Re: Bug#260799: passwd - lets root password unset | #6 |
On Thu, Jul 22, 2004 at 06:04:39PM -0400, <email address hidden> wrote:
> Are you saying that it unsets the root password, or that it never asks, or
> that it just lets you set it to nothing?
I assume he's referring to this function:
# Returns a true value if root already has a password.
root_password () {
# Assume there is a root password if NIS is being used.
if egrep -q '^+:' /etc/passwd; then
fi
if [ -e /etc/shadow ] && \
[ "`grep root /etc/shadow | cut -d : -f 2`" ]; then
fi
if [ "`grep root /etc/passwd | cut -d : -f 2`" -a \
"`grep root /etc/passwd | cut -d : -f 2`" != 'x' ]; then
fi
return 1
}
Shouldn't this use getent, rather than directly accessing passwd/shadow?
Looking at the .config script, a 0 return from this function means that the
admin is not prompted to set a root password. This doesn't seem
particularly serious, since this is only an issue when first installing the
system, at which time there are unlikely to be any non-system users in the
passwd file yet...
--
- mdz
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 02:20:53 +0200
From: Javier =?iso-8859-
To: <email address hidden>
Cc: <email address hidden>
Subject: Clarification and patch for this bug
--TiqCXmo5T1hvSQQg
Content-Type: multipart/mixed; boundary=
Content-
--7iMSBzlTiPOCCT2k
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tags 260799 patch
thanks
I believe the reporter suggests that, the way the check for root's password
is done, it will not prompt for a password if you have a user with a 'root'
substring (for example 'joeroot') which does have a password.
The attached patch for debian/
better.
Regards
Javier
--7iMSBzlTiPOCCT2k
Content-Type: text/plain; charset=us-ascii
Content-
Content-
--- passwd.config.orig 2004-07-23 02:15:08.000000000 +0200
+++ passwd.config 2004-07-23 02:15:48.000000000 +0200
@@ -39,12 +39,12 @@
fi
=20
if [ -e /etc/shadow ] && \
- [ "`grep root /etc/shadow | cut -d : -f 2`" ]; then
+ [ "`grep ^root: /etc/shadow | cut -d : -f 2`" ]; then
return 0
fi
=09
- if [ "`grep root /etc/passwd | cut -d : -f 2`" -a \
- "`grep root /etc/passwd | cut -d : -f 2`" !=3D 'x' ]; then
+ if [ "`grep ^root: /etc/passwd | cut -d : -f 2`" -a \
+ "`grep ^root: /etc/passwd | cut -d : -f 2`" !=3D 'x' ]; then
return 0
fi
=20
--7iMSBzlTiPOCC
--TiqCXmo5T1hvSQQg
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBAFnli4s
uCXhBqFrSvPi1np
=K+P/
-----END PGP SIGNATURE-----
--TiqCXmo5T1hvS
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Thu, 22 Jul 2004 17:55:06 -0700
From: Matt Zimmerman <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: Bastian Blank <email address hidden>
Subject: Re: Bug#260799: passwd - lets root password unset
On Thu, Jul 22, 2004 at 06:04:39PM -0400, <email address hidden> wrote:
> Are you saying that it unsets the root password, or that it never asks, or
> that it just lets you set it to nothing?
I assume he's referring to this function:
# Returns a true value if root already has a password.
root_password () {
# Assume there is a root password if NIS is being used.
if egrep -q '^+:' /etc/passwd; then
fi
if [ -e /etc/shadow ] && \
[ "`grep root /etc/shadow | cut -d : -f 2`" ]; then
fi
if [ "`grep root /etc/passwd | cut -d : -f 2`" -a \
"`grep root /etc/passwd | cut -d : -f 2`" != 'x' ]; then
fi
return 1
}
Shouldn't this use getent, rather than directly accessing passwd/shadow?
Looking at the .config script, a 0 return from this function means that the
admin is not prompted to set a root password. This doesn't seem
particularly serious, since this is only an issue when first installing the
system, at which time there are unlikely to be any non-system users in the
passwd file yet...
--
- mdz
In Debian Bug tracker #260799, Christian Perrier (bubulle) wrote : Re: Bug#260799: Clarification and patch for this bug | #9 |
Quoting Javier Fernández-Sanguino Peña (<email address hidden>):
> tags 260799 patch
> thanks
Karl, this for checking that you got my diff for the 29.1 NMU patch I
just made.....one day before this bug was discovered.
I guess you will make a new upload of the shadow package for fixing
this bug very soon.
If, for some reason, you lack time for it, I still have time for doing
a 29.2 NMU from my build tree, using Javier's patch. This can be made
today (7/23) of this week-end. After, I will leave for 3 weeks.
In Debian Bug tracker #260799, Bastian Blank (waldi) wrote : Re: Bug#260799: passwd - lets root password unset | #10 |
On Thu, Jul 22, 2004 at 05:55:06PM -0700, Matt Zimmerman wrote:
> Looking at the .config script, a 0 return from this function means that the
> admin is not prompted to set a root password. This doesn't seem
> particularly serious, since this is only an issue when first installing the
> system, at which time there are unlikely to be any non-system users in the
> passwd file yet...
Which does not mean that other system users don't match the string
"root". D-i adds one sometimes.
Bastian
--
Hailing frequencies open, Captain.
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 07:24:13 +0200
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: Re: Bug#260799: Clarification and patch for this bug
Quoting Javier Fern=E1ndez-
> tags 260799 patch
> thanks
Karl, this for checking that you got my diff for the 29.1 NMU patch I
just made.....one day before this bug was discovered.
I guess you will make a new upload of the shadow package for fixing
this bug very soon.
If, for some reason, you lack time for it, I still have time for doing
a 29.2 NMU from my build tree, using Javier's patch. This can be made
today (7/23) of this week-end. After, I will leave for 3 weeks.
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 09:34:24 +0200
From: Bastian Blank <email address hidden>
To: Matt Zimmerman <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#260799: passwd - lets root password unset
--HlL+5n6rz5pIUxbD
Content-Type: text/plain; charset=utf-8
Content-
Content-
On Thu, Jul 22, 2004 at 05:55:06PM -0700, Matt Zimmerman wrote:
> Looking at the .config script, a 0 return from this function means that t=
he
> admin is not prompted to set a root password. This doesn't seem
> particularly serious, since this is only an issue when first installing t=
he
> system, at which time there are unlikely to be any non-system users in the
> passwd file yet...
Which does not mean that other system users don't match the string
"root". D-i adds one sometimes.
Bastian
--=20
Hailing frequencies open, Captain.
--HlL+5n6rz5pIUxbD
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iEYEARECAAYFAkE
lYEAnRCt23KVtxW
=5BkL
-----END PGP SIGNATURE-----
--HlL+5n6rz5pIU
In Debian Bug tracker #260799, Matt Zimmerman (mdz) wrote : | #13 |
On Fri, Jul 23, 2004 at 09:34:24AM +0200, Bastian Blank wrote:
> On Thu, Jul 22, 2004 at 05:55:06PM -0700, Matt Zimmerman wrote:
> > Looking at the .config script, a 0 return from this function means that the
> > admin is not prompted to set a root password. This doesn't seem
> > particularly serious, since this is only an issue when first installing the
> > system, at which time there are unlikely to be any non-system users in the
> > passwd file yet...
>
> Which does not mean that other system users don't match the string
> "root". D-i adds one sometimes.
I have never seen it. What is the name of the user?
--
- mdz
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 08:59:38 -0700
From: Matt Zimmerman <email address hidden>
To: Bastian Blank <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#260799: passwd - lets root password unset
On Fri, Jul 23, 2004 at 09:34:24AM +0200, Bastian Blank wrote:
> On Thu, Jul 22, 2004 at 05:55:06PM -0700, Matt Zimmerman wrote:
> > Looking at the .config script, a 0 return from this function means that the
> > admin is not prompted to set a root password. This doesn't seem
> > particularly serious, since this is only an issue when first installing the
> > system, at which time there are unlikely to be any non-system users in the
> > passwd file yet...
>
> Which does not mean that other system users don't match the string
> "root". D-i adds one sometimes.
I have never seen it. What is the name of the user?
--
- mdz
In Debian Bug tracker #260799, Bastian Blank (waldi) wrote : | #15 |
On Fri, Jul 23, 2004 at 08:59:38AM -0700, Matt Zimmerman wrote:
> > Which does not mean that other system users don't match the string
> > "root". D-i adds one sometimes.
> I have never seen it. What is the name of the user?
| .../trunk/
| TEMPLATE_
| echo 'installer:
| grep "^installer:" /etc/shadow >> /target/etc/shadow
Bastian
--
Too much of anything, even love, isn't necessarily a good thing.
-- Kirk, "The Trouble with Tribbles", stardate 4525.6
In Debian Bug tracker #260799, Matt Zimmerman (mdz) wrote : | #16 |
On Fri, Jul 23, 2004 at 11:59:08PM +0200, Bastian Blank wrote:
> On Fri, Jul 23, 2004 at 08:59:38AM -0700, Matt Zimmerman wrote:
> > > Which does not mean that other system users don't match the string
> > > "root". D-i adds one sometimes.
> > I have never seen it. What is the name of the user?
>
> | .../trunk/
> | TEMPLATE_
> | echo 'installer:
> | grep "^installer:" /etc/shadow >> /target/etc/shadow
Interesting; I never encountered it. Is this architecture-
something?
Anyway, the fix for this bug is known and trivial...
--
- mdz
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 23:59:08 +0200
From: Bastian Blank <email address hidden>
To: Matt Zimmerman <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#260799: passwd - lets root password unset
--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=utf-8
Content-
Content-
On Fri, Jul 23, 2004 at 08:59:38AM -0700, Matt Zimmerman wrote:
> > Which does not mean that other system users don't match the string
> > "root". D-i adds one sometimes.
> I have never seen it. What is the name of the user?
| .../trunk/
| TEMPLATE_
| echo 'installer:
target/etc/passwd
| grep "^installer:" /etc/shadow >> /target/etc/shadow
Bastian
--=20
Too much of anything, even love, isn't necessarily a good thing.
-- Kirk, "The Trouble with Tribbles", stardate 4525.6
--lrZ03NoBR/3+SXJZ
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iEYEARECAAYFAkE
qhEAmgMdsGjG7j4
=duf+
-----END PGP SIGNATURE-----
--lrZ03NoBR/
Matt Zimmerman (mdz) wrote : | #18 |
Fixed by upload of shadow_
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 15:06:04 -0700
From: Matt Zimmerman <email address hidden>
To: Bastian Blank <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#260799: passwd - lets root password unset
On Fri, Jul 23, 2004 at 11:59:08PM +0200, Bastian Blank wrote:
> On Fri, Jul 23, 2004 at 08:59:38AM -0700, Matt Zimmerman wrote:
> > > Which does not mean that other system users don't match the string
> > > "root". D-i adds one sometimes.
> > I have never seen it. What is the name of the user?
>
> | .../trunk/
> | TEMPLATE_
> | echo 'installer:
> | grep "^installer:" /etc/shadow >> /target/etc/shadow
Interesting; I never encountered it. Is this architecture-
something?
Anyway, the fix for this bug is known and trivial...
--
- mdz
Colin Watson (cjwatson) wrote : | #20 |
That password entry is created by network-console, which is only used on a few
architectures at the moment (it's the "ssh into d-i" system). Bastian works on
s390, which is one such architecture.
In Debian Bug tracker #260799, Christian Perrier (bubulle) wrote : Patch for 29.2 NMU | #21 |
Attached is the patch for this NMU (which has been uploaded in the
DELAYED/2-day queue just to give Karl a chance to overrule it). I
added a Croatian translation and last miute updates to a few other
translations as well as the fix for this RC bug.
--
Debian Bug Importer (debzilla) wrote : | #22 |
Message-ID: <email address hidden>
Date: Mon, 26 Jul 2004 19:05:19 +0200
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: Patch for 29.2 NMU
--RnlQjJ0d97Da+TV1
Content-Type: text/plain; charset=us-ascii
Content-
Attached is the patch for this NMU (which has been uploaded in the
DELAYED/2-day queue just to give Karl a chance to overrule it). I
added a Croatian translation and last miute updates to a few other
translations as well as the fix for this RC bug.
--
--RnlQjJ0d97Da+TV1
Content-Type: application/
Content-
Content-
H4sICNw4BUECA3B
cgroIlBEowvbByl
bOLoOvL46svMqjJ
SqVZq7RglZegvFC
v7lyZQpkvakh9w/
wRZgS5AOSB9kiE1
n2KKpvy1s8AUxP/
ReUe5yR8fBIWsEk
Hjy8tXIe0fDh/
N4a4ob/
QNQc+RGEXkO69a2
23S4LmsEWPSMcH1
wrb7m82WF+
VpqZL8etPpU1T24
RbPczWSZwZeW2Du
zi7GsJuCIeAoDwO
5Fy1dMr1Nny4iHB
ryD3+4YnOwYi6Vb
kMNYYshgloilh1P
JoDU/pEIpBhjytX
NuUjlxrflx3tBdZ
qUSt86Nbz1ulMpR
5tcrQVthaC26Mrg
0tsQjl+
B3zZ7X7d/
RwP8ft80eN591X3
r3HYPWqxj2PudV/
DfCSTEMdaFzqcli
D/Et67ITK/
8wC7/8LKou338C2
YRxLfn5mDAGPcgb
WMZM733k/
AQqw2ZSeTD2iUEJ
XsUkwry2w3Z8BcY
P6QWcES6RoRHu...
In Debian Bug tracker #260799, Karl Ramm (kcr) wrote : Bug#260799: fixed in shadow 1:4.0.3-30 | #23 |
Source: shadow
Source-Version: 1:4.0.3-30
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:
login_4.
to pool/main/
passwd_
to pool/main/
shadow_
to pool/main/
shadow_4.0.3-30.dsc
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Karl Ramm <email address hidden> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Jul 2004 09:38:32 -0400
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-30
Distribution: unstable
Urgency: high
Maintainer: Karl Ramm <email address hidden>
Changed-By: Karl Ramm <email address hidden>
Description:
login - System login tools
passwd - Change and administer password and group data
Closes: 190567 235641 256664 257949 257949 258241 258563 258566 258957 259389 259663 259827 260223 260361 260722 260799 261387 261418
Changes:
shadow (1:4.0.3-30) unstable; urgency=high
.
* Attempt to fix FTBFS and dependency problems on hurd. Closes: #235641
* don't run dh_undocumented anymore as it has become angstful.
.
* Thanks to Christian Perrier:
* Debconf translations
- Brazilian updated. Closes: #261387
- Croatian added. Closes: #261418
- Minor corrections fo ja.po and pl.po headers
* Programs translations
- Dutch updated. Closes: #260361
- Hebrew added. Closes: #260722
* Urgency set to high because of RC bug fixed:
* Correct check for root password being already set in passwd.config
Closes: #260799
.
* Acknowledge 29.1 NMU:
Closes: #256664, #257949, #258241, #258563, #258566, #258957,
#190567, #259389, #260223, #257949, #259663, #259827
Files:
af4a56952cb5a5
b4216b0f1723d1
7dc81ae796075a
157ad3b90fec0a
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQIVAwUBQQZuPHf
hp+xkEtlKyDYajk
RgaMwKn/
c8j1bnB8GlKORk8
b2ek/BrNukY4kuV
0PNz0MmKsrXnnI2
mPDd3oN7vY+
Debian Bug Importer (debzilla) wrote : | #24 |
Message-Id: <email address hidden>
Date: Tue, 27 Jul 2004 11:32:17 -0400
From: Karl Ramm <email address hidden>
To: <email address hidden>
Subject: Bug#260799: fixed in shadow 1:4.0.3-30
Source: shadow
Source-Version: 1:4.0.3-30
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:
login_4.
to pool/main/
passwd_
to pool/main/
shadow_
to pool/main/
shadow_4.0.3-30.dsc
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Karl Ramm <email address hidden> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Jul 2004 09:38:32 -0400
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-30
Distribution: unstable
Urgency: high
Maintainer: Karl Ramm <email address hidden>
Changed-By: Karl Ramm <email address hidden>
Description:
login - System login tools
passwd - Change and administer password and group data
Closes: 190567 235641 256664 257949 257949 258241 258563 258566 258957 259389 259663 259827 260223 260361 260722 260799 261387 261418
Changes:
shadow (1:4.0.3-30) unstable; urgency=high
.
* Attempt to fix FTBFS and dependency problems on hurd. Closes: #235641
* don't run dh_undocumented anymore as it has become angstful.
.
* Thanks to Christian Perrier:
* Debconf translations
- Brazilian updated. Closes: #261387
- Croatian added. Closes: #261418
- Minor corrections fo ja.po and pl.po headers
* Programs translations
- Dutch updated. Closes: #260361
- Hebrew added. Closes: #260722
* Urgency set to high because of RC bug fixed:
* Correct check for root password being already set in passwd.config
Closes: #260799
.
* Acknowledge 29.1 NMU:
Closes: #256664, #257949, #258241, #258563, #258566, #258957,
#190567, #259389, #260223, #257949, #259663, #259827
Files:
af4a56952cb5a5
b4216b0f1723d1
7dc81ae796075a
157ad3b90fec0a
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQIVAwUBQQZuPHf
hp+xkEtlKyDYajk
RgaMwKn/
c8j1bnB8GlKORk8
Daniel Robitaille (robitaille) wrote : | #25 |
Was fixed in Debian in 2004.
Changed in shadow: | |
status: | Unconfirmed → Fix Released |
Changed in shadow: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #260799 http:// bugs.debian. org/260799