http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c5 --- Comment #5 from Henryk Hecht <kq8z67r6309fo9001@sneakemail.com> 2009-11-25 00:35:29 UTC --- Yes, the systems I've seen this on all started before 11.1, though most passed through 11.1 on the way to 11.2. I think the only upgrade scenario that is well-tested now is clean install of the previous revision upgrading to the current. The documentation for "!"/"*" seems to be hiding from me at the moment. shadow(5) is silent on the subject, as is passwd(1). While I've seen the idea that "*" is for system accounts (e.g. postgres) and "!" is for "services" (i.e. things which you would never need to log in as), I'm not sure where this idea came from and it does not appear to be part of any standard. The "normal" interpretation of shadow is, I think, that anything that is not in [A-Z][a-z][0-9]./$ is equivalent and means the account is locked. "!" and "!!" seem to show up on a lot of different systems, as does "*", but in principal "^" or "@" should behave the same. Anyway, it is beside the point. Locked or not, root should be able to su to the account, as he can on every *nix. Even solaris, which has "NP" and "*LK*" with slightly less ambiguous semantics, does not prevent this in either case. In SuSE's case, the bug seems to have come in with pam_unix2.so's: 2009-02-09 Thorsten Kukuk * release version 2.7.2 * src/unix_passwd.c (pam_sm_chauthtok): Do password check always, not only in PRELIM. * po/*.po: Update translations. so it seems the fix is either a)revert/rework this change, b)make pam_acct_mgmt somehow not fail under this circumstance, c)modify the PAM section of su.c in coreutils. I do not know enough about PAM to tell what is correct; only that in the end, su from root should not care what is in the second field of /etc/shadow. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.