[Bug 629236] New: vlock cannot authenticate user - missing PAM configuration
http://bugzilla.novell.com/show_bug.cgi?id=629236 http://bugzilla.novell.com/show_bug.cgi?id=629236#c0 Summary: vlock cannot authenticate user - missing PAM configuration Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: mike@mk-sys.cz QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9pre) Gecko/20100730 The vlock package is missing PAM configuration file /etc/pam.d/vlock so that vlock cannot authenticate users (default /etc/pam.d/other denies everyone). In default installation, even with suitable /etc/pam.d/vlock, vlock still cannot authenticate users (unless run by root) as vlock-main does not have SGID bit and cannot read /etc/shadow. But this seems intentional according to /etc/permissions.* However, these files should set permissions of /usr/sbin/vlock-main rather than /usr/bin/vlock as the latter is a shell script now. Reproducible: Always Steps to Reproduce: 1. lock a terminal using vlock 2. press enter Actual Results: vlock doesn't ask for password and shows "authentication failure" Expected Results: ask for password and check it -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629236
http://bugzilla.novell.com/show_bug.cgi?id=629236#c
yang xiaoyu
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c1
--- Comment #1 from Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c2
Pavol Rusnak
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c
Pavol Rusnak
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c3
--- Comment #3 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c4
--- Comment #4 from Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c5
--- Comment #5 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c7
--- Comment #7 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c8
--- Comment #8 from Ludwig Nussel
We already audited vlock and didnt want to make it suid. Please see bnc#342924.
Great. The request to remove the existing entry from /etc/permissions didn't reach the maintainer though.
Why does vlock need suid/sgid. Isnt unix2_chkpwd exactly for that purpose?
That one is just plain broken. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c9
--- Comment #9 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c13
--- Comment #13 from Ludwig Nussel
I added pam configuration to package in Base:System. I also changed rights to 2755 for %{_sbindir}/vlock-main.
Security team: can we change /etc/permissions.* by adding
/usr/sbin/vlock-main root:shadow 2755
comment 7 says no. So I will remove the entry from /etc/permissions* -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c14
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=629236
https://bugzilla.novell.com/show_bug.cgi?id=629236#c15
--- Comment #15 from Bernhard Wiedemann
http://bugzilla.novell.com/show_bug.cgi?id=629236
http://bugzilla.novell.com/show_bug.cgi?id=629236#c16
--- Comment #16 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com