https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c2 --- Comment #2 from Cristian Rodríguez 2013-09-30 19:34:58 CLT --- Unfortunately I do not have an hypotesis about this issue, but "look ma!" after the last 13.1 upgrade.. # id uid=0(root) gid=0(root) groups=0(root),64(pkcs11) Root is added to the pkcs11 group ! something seems to be wrong with either rpm scriptlets that add users or with useradd itself. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c4 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #4 from Christian Boltz 2013-12-06 22:11:07 CET --- (In reply to comment #3)

Incidentially, this is on the Raspberry Pi images; raspberrypi:~ # ll /etc/shadow -rw-r--r-- 1 root root 468 Dec 4 18:42 /etc/shadow This looks bad. Can anyone confirm? Should I file a separate bug report for this?

Yes, that's worth a separate bugreport. For the problem of having the wrong group for root -IIRC useradd, usermod etc. are logging to syslog what they are doing. Can the poeple who have the problem please grep their logs for it please? I'd try grep "root.*users" (or, as general command, grep "root.*$GROUP") Another way might be to add a watch on /etc/passwd and /etc/group with auditctl before starting the update, and to hope that the bug will appear. In any case, you should relate the timestamp to something in /var/log/zypp/history. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c6 --- Comment #6 from Bernhard Wiedemann 2013-12-06 23:30:35 CET --- and https://github.com/openSUSE/obs-build/pull/88 For the original issue, I tried an upgrade from minimal 12.3 to 13.1 and everything remained as it should, so this is maybe only triggered by a package in the bigger installs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c8 --- Comment #8 from Robin Jacobs 2013-12-06 23:17:28 UTC --- Not sure whether this is related, but on my 13.1 x86_64 Gnome install I added my user to a group using YaST, and now there are *- and *.YaST2save versions of the files. The *- ones have the wrong permissions set, as the main files are on my (more frequently used and updated) KDE installations. /etc/shadow- doesn't appear to contain any passwords, though, so this doesn't appear to be a problem in itself, but is it possible that, at some point, the permissions of shadow and shadow- get swapper (perhaps by YaST)? I'm sorry if this end up not being related to the problem at hand. It's just something I noticed. http://www.imgdumper.nl/uploads7/52a259bda704a/52a259bd83a32-Screenshot_from... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c10 --- Comment #10 from Robin Jacobs 2013-12-10 16:51:24 UTC --- I did a full reinstall today because the operating system got wrecked. Is it possible that this bug is only present in the KDE version, and not the Gnome one? Because... you might've guessed it; robin@linux:~> ls -al /etc/shadow -rw-r----- 1 root users 716 Dec 10 15:29 /etc/shadow This time it was installed with LVM and BTRFS. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c12 --- Comment #12 from Robin Jacobs 2013-12-10 17:00:07 UTC --- OpenSUSE 13.1 x86_64 KDE Installed from a live USB, but this time I used a different USB drive and re-downloaded the image to make sure that wasn't the problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c14 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Summary|VUL-0: root occasionaly |VUL-0: |gets group=100(users) |kiwi-config-openSUSE: root | |occasionaly gets | |group=100(users) --- Comment #14 from Marcus Meissner 2013-12-13 17:02:47 UTC --- and there it is: [ 895s] Nov-06 15:39:35 <1> : EXEC [chroot /usr/src/packages/BUILD/kiwi-image-livecd-kde-13.1/tmp /usr/sbin/usermod -p '' -g users root 2>&1] [ 895s] Nov-06 15:39:35 <1> : Setting owner/group permissions root [users] and its coming from kiwi-config-openSUSE -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c16 --- Comment #16 from Bernhard Wiedemann 2013-12-13 19:00:12 CET --- This is an autogenerated message for OBS integration: This bug (843230) was mentioned in https://build.opensuse.org/request/show/210823 Factory:Live / kiwi-config-openSUSE -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c18 --- Comment #18 from Bernhard Wiedemann 2013-12-14 09:00:16 CET --- This is an autogenerated message for OBS integration: This bug (843230) was mentioned in https://build.opensuse.org/request/show/210851 Factory / kiwi-config-openSUSE -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c20 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-0: |VUL-0: CVE-2013-3713: |kiwi-config-openSUSE: root |aaa_base |occasionaly gets |kiwi-config-openSUSE: root |group=100(users) |occasionaly gets | |group=100(users) Alias| |CVE-2013-3713 --- Comment #20 from Marcus Meissner 2013-12-17 14:17:26 UTC --- I have assigned: CVE-2013-3713 The image creation configuration incorrectly created the root user with the group "users", which later lead to files being owned by root:users instead of root:root when installing from the live image to a on-disk system. One sample file was /etc/shadow which was mode 640, root:users and so readable for local users. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2412:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:2412:moderate | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.