http://bugzilla.novell.com/show_bug.cgi?id=629236 http://bugzilla.novell.com/show_bug.cgi?id=629236#c yang xiaoyu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyyang@novell.com AssignedTo|bnc-team-screening@forge.pr |prusnak@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c2 Pavol Rusnak changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |prusnak@novell.com AssignedTo|prusnak@novell.com |security-team@suse.de Summary|vlock cannot authenticate |AUDIT-0: vlock - setgid |user - missing PAM |needed |configuration | --- Comment #2 from Pavol Rusnak 2010-09-09 14:27:24 CEST --- I added pam configuration to package in Base:System. I also changed rights to 2755 for %{_sbindir}/vlock-main. Security team: can we change /etc/permissions.* by adding /usr/sbin/vlock-main root:shadow 2755 and by removing all obsoleted /usr/bin/vlock lines? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c3 --- Comment #3 from Ludwig Nussel 2010-09-22 16:42:41 CEST --- It scares me that we carry around broken permissions on vlock and noone noticed. I'd actually prefer to remove the vlock entry completely :-) OTOH it's not that common so it doesn't hurt many. root:shadow 2755 isn't quite right in general btw, it whould be root:root 4755 to make sure it also works with NIS+. I'll change the permissions entry as requested we had vlock that way in the past anyways. It should be reviewed nevertheless. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c5 --- Comment #5 from Ludwig Nussel 2010-09-24 16:34:04 CEST --- sr#49053 for factory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c8 --- Comment #8 from Ludwig Nussel 2010-09-28 10:44:48 CEST --- (In reply to comment #7)

We already audited vlock and didnt want to make it suid. Please see bnc#342924.

Great. The request to remove the existing entry from /etc/permissions didn't reach the maintainer though.

Why does vlock need suid/sgid. Isnt unix2_chkpwd exactly for that purpose?

That one is just plain broken. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c13 --- Comment #13 from Ludwig Nussel 2010-10-12 16:37:32 CEST --- (In reply to comment #2)

I added pam configuration to package in Base:System. I also changed rights to 2755 for %{_sbindir}/vlock-main.

Security team: can we change /etc/permissions.* by adding

/usr/sbin/vlock-main root:shadow 2755

comment 7 says no. So I will remove the entry from /etc/permissions* -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c15 --- Comment #15 from Bernhard Wiedemann 2011-10-31 22:02:55 CET --- This is an autogenerated message for OBS integration: This bug (629236) was mentioned in https://build.opensuse.org/request/show/89843 Tumbleweed / permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.