[Bug 623432] New: su from root fails for locked accounts

http://bugzilla.novell.com/show_bug.cgi?id=623432 http://bugzilla.novell.com/show_bug.cgi?id=623432#c0 Summary: su from root fails for locked accounts Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: nathanr@lesmills.net.au QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100506 SUSE/3.5.10-0.1.1 Firefox/3.5.10 I've managed to reproduce bug #556077 on openSUSE 11.3. It's claimed in that bug that it was fixed in 11.2, but I can reproduce it under 11.3. Reproducible: Always Steps to Reproduce: linux-07mr:~ # useradd -m -d /opt/test -g postgres test linux-07mr:~ # su - test su: incorrect password linux-07mr:~ # passwd test Changing password for test. New Password: Bad password: too short Reenter New Password: Password changed. linux-07mr:~ # su - test test@linux-07mr:~> another use case: linux-07mr:~ # useradd -m -d /opt/test -g postgres test linux-07mr:~ # grep test /etc/shadow test:!:14809:0:99999:7::: linux-07mr:~ # vim /etc/shadow linux-07mr:~ # grep test /etc/shadow test:*:14809:0:99999:7::: linux-07mr:~ # su - test test@linux-07mr:~> Actual Results: Can not su from root to another non-root user which has a disabled account where there is a "!" for the password. Works fine where "*" is the password, as per bug #556077 Expected Results: Should be able to su as root to a disabled account. As noted in bug #550677, this stops the PostgreSQL initdb scripts from working. For us, it's EnterpriseDB PostgresPlus Standard installer, which works fine on SLES 11 SP1, but not on openSUSE 11.2 or 11.3. They do a "useradd" then an "su" to the created user, which fails. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=623432 http://bugzilla.novell.com/show_bug.cgi?id=623432#c Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|security-team@suse.de |mc@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=623432 http://bugzilla.novell.com/show_bug.cgi?id=623432#c1 ferdinand gassauer <gassauer@kde.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High CC| |gassauer@kde.org Severity|Normal |Major --- Comment #1 from ferdinand gassauer <gassauer@kde.org> 2010-07-22 06:48:26 UTC --- as it prohibits "normal" use of all databases (mysql and postgres) and may be others services this should be fixed ASAP it's not production ready to ask end users to fiddle around in /etc/shadow to replace '!' by '*' -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=623432 http://bugzilla.novell.com/show_bug.cgi?id=623432#c2 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |kukuk@novell.com InfoProvider| |kukuk@novell.com AssignedTo|mc@novell.com |pth@novell.com --- Comment #2 from Michael Calmer <mc@novell.com> 2010-07-26 08:57:38 UTC --- Thorsten added account-mgmt support in pam_rootok.so . So the solution would be to add account sufficient pam_rootok.so to /etc/pam.d/su-l Don't know if this is a good idea to change the pam config file within a release. This is a decision of the coreutils maintainer. Thorsten: any comment on this? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=623432 http://bugzilla.novell.com/show_bug.cgi?id=623432#c3 Thorsten Kukuk <kukuk@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|kukuk@novell.com | Resolution| |INVALID --- Comment #3 from Thorsten Kukuk <kukuk@novell.com> 2010-08-02 09:38:06 UTC --- The behavior is correct and the expected one by definition. Please read the useradd manual page and fix your useradd command for postgres. You need to create a system account if it should be without password and root be able to su into it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=623432 http://bugzilla.novell.com/show_bug.cgi?id=623432#c4 --- Comment #4 from ferdinand gassauer <gassauer@kde.org> 2010-08-02 20:15:20 UTC --- thanks for pointing out FYI the behaviour must have changed between 11.2 and 11.3, because my installation worked before and didn't work any more after update. BTW man:/useradd - -r, --system Create a system account. A system account is an user with an UID between SYSTEM_UID_MIN and SYSTEM_UID_MAX as defined in /etc/login.defs, if no UID is specified. The GROUPS entry in /etc/default/useradd is ignored, too. IMHO this is not helpful for this issue, it does not explain the issue and I wouldn't know why a user or admin should useradd the user postgres - this account was available "forever" and should be fixed in the distributed rpm. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=623432 http://bugzilla.novell.com/show_bug.cgi?id=623432#c5 --- Comment #5 from Thorsten Kukuk <kukuk@novell.com> 2010-08-02 20:32:43 UTC --- (In reply to comment #4)
thanks for pointing out
FYI the behaviour must have changed between 11.2 and 11.3, because my installation worked before and didn't work any more after update.
Exact the same issue with EnterpriseDB PostgresPlus Standard installer was already reported before 11.2 was released. So this has not changed between 11.2 and 11.3, but the root is a bug fix in handling of shadow passwords before 11.2. For plain /etc/passwd systems, the current behavior was already the default for ever, only /etc/shadow handling did contain a bug. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com