http://bugzilla.novell.com/show_bug.cgi?id=626517
http://bugzilla.novell.com/show_bug.cgi?id=626517#c29
--- Comment #29 from Nick Dordea
On some systems tw exclamation marks indicate that the password has not been set yet and the account is locked. But AFAICS our useradd simply disables (== one exclamation mark) is no password was specified. On a standard installation of an openSUSE there should be only asterisk or if the account is locked only one exclamation mark e.g. by using `passwd -l <user>' or `usermod -L <user>'
... but during my debugging I've found that usermod creates a file /etc/shadow.old. Now locking leads to
# usermod -L nobody # grep nobody /etc/shadow* /etc/shadow:nobody:*:13595:::::: /etc/shadow.old:nobody:!*:13595:::::: # passwd -u nobody# grep nobody /etc/shadow* /etc/shadow:nobody:*:13595:::::: /etc/shadow.old:nobody:!*:13595::::::
that leads me to the conclusion that those two exclamation marks exsists a long time in your /etc/shadow by e.g. using an older version of usermod adding a exclamation mark even if the account was already locked. The current tool reject locking twice:
# passwd -l nobody Password for `nobody' is already locked!
... OK now let's see what happens on a 11.3:
# usermod -L nobody # grep nobody /etc/shadow* /etc/shadow:nobody:!*:14832:::::: /etc/shadow.old:nobody:*:14832:::::: # su nobody su: incorrect password
... that is a bug on 11.3 as locking the user nobody with system tools causes that even root can do an su to an locked account.
The question is: does this bug belong to PAM or to su. Hand over to Philipp and Michael.
Hello Werner, Definitely we have an issue with i) the status of system-accounts after upgrade to 11.3 and/or ii) how su et-co interprets the system-accounts. What is relevant for me is that a upgraded feature is failing; for me it is irrelevant which is true i) or ii) or i) + ii) ; Learning that nobody account seems to be the root cause, I took the liberty to do some testing : 1. delete nobody entry that has ! 2. create a new nobody 3. create a nobody1 ( almost identical with nobody) 4. get the new records structures 5. test su nobody[1] 6. test mktextlst if 5 is ok 7. test latex if 5 , 6 are ok 8. test kile if 5, 6 ,7 are ok. The good news is that all above tests were ok. So the new account has * in /etc/shadow which is the correct structure. Please find below the tests.
From my point of view, it seems that under some conditions 11.3 is not fully backward compatible with 11.2 . The backward compatibility of 11.3 is the issue. Is a script/etc that deletes then recreates all system-accounts the solution? Maybe .......
Another fact, /etc/default/password has
CRYPT=md5
CRYPT_FILES=blowfish
The passwords encrypted via md5 start with $1$ whereas those encrypted via
blowfish start with $2a$
here is the old-accounts on my system
sudo grep r<removed> /etc/passwd /etc/shadow /etc/shadow.old
root's password:
/etc/passwd:root:x:0:0:root:/root:/bin/bash
/etc/passwd:rxxx:x:1000:100:rocco:/home/rocco:/bin/bash
/etc/shadow:root:$2a$05$<removed>:<removed>::::::
/etc/shadow:rxxx:$2a$05$<removed>:<removed>:0:99999:7:::
/etc/shadow.old:root:$2a$05$<removed>:<removed>::::::
/etc/shadow.old:rocco:$2a$05$<removed>:<removed>:0:99999:7:::
now the data for a brand new account
~> sudo grep rtest /etc/passwd /etc/shadow /etc/shadow.old
/etc/passwd:rtest:x:500:100:rtest:/home/rtest:
/etc/shadow:rtest:$1$<removed>:<removed>:0:::::0
/etc/shadow.old:rtest:!!:<removed>:0:::::0
It seems that the old accounts were encrypted with blowfish and the upgraded
system encrypts them using md5.
It seems that upgrade-to-11.3 process does not conserve the defaults
established on the 11.2 system. Maybe something similar happened with the
system-accounts.
Let's hope that this [i.e. backward compatibility ] is the light at the end of
the tunnel.
Thanks,
nd
=============================== testing data ==================
~> sudo /usr/sbin/userdel nobody
root's password:
no crontab for nobody
~> sudo /usr/sbin/useradd -u 65534 -g 65533 -d /varlib/nobody -s /bin/bash -c
nobody -r nobody
~> sudo /usr/sbin/useradd -u 65532 -g 65533 -d /varlib/nobody2 -s /bin/bash -c
nobody1 -r nobody1
~> sudo grep nobody /etc/passwd /etc/shadow /etc/shadow.old
/etc/passwd:nobody:x:65534:65533:nobody:/varlib/nobody:/bin/bash
/etc/passwd:nobody1:x:65532:65533:nobody1:/varlib/nobody2:/bin/bash
/etc/shadow:nobody:*:14834:0:99999:7:::
/etc/shadow:nobody1:*:14834:0:99999:7:::
/etc/shadow.old:nobody:*:14834:0:99999:7:::
~> su
Password:
# su nobody
----- successful
exit
~> su
Password:
# su nobody1
----- successful
exit
~> sudo /usr/sbin/userdel nobody1
root's password:
no crontab for nobody1
sudo mktexlsr
root's password:
mktexlsr: Updating /etc/texmf/ls-R...
mktexlsr: Updating /usr/lib/texmf/ls-R...
mktexlsr: Updating /usr/local/share/texmf/ls-R...
mktexlsr: Updating /usr/share/lilypond/2.12.3/ls-R...
mktexlsr: Updating /usr/share/texmf/ls-R...
mktexlsr: Updating /var/cache/texmf/fonts/ls-R...
mktexlsr: Updating /var/lib/texmf/ls-R...
mktexlsr: Done.
~> latex
This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live
2009/obs://build.opensuse.org/Publishing)
**\bye
entering extended mode
LaTeX2e <2009/09/24>
Babel