[Bug 556077] New: su from root fails for locked accounts
http://bugzilla.novell.com/show_bug.cgi?id=556077#c0 Summary: su from root fails for locked accounts Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86 OS/Version: openSUSE 11.2 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: kq8z67r6309fo9001@sneakemail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4 In 11.2, su refuses to switch to any account which is locked/disabled (starts with "!" in /etc/shadow), even when run as root. This is at least quite different to previous versions, as well as every other *nix. It is probably also incorrect, as there does not seem to be any documentation of this fact in passwd(5), shadow(5), or su(1). /etc/pam.d/su-l has: #%PAM-1.0 auth sufficient pam_rootok.so auth include common-auth account include common-account password include common-password session include common-session session optional pam_xauth.so as before, so one would really believe this should work. As many of the system/daemon accounts are "!", and at least some (e.g. postgres) must be su'd to from time to time, this does not work out well. Replacing the su binary with an older version doesn't help, so the problem is probably occuring someplace else (pam_rootok?). Reproducible: Always Steps to Reproduce: 1. # su - postgres Actual Results: su: incorrect password Expected Results: postgres@host:~> -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077#c1 Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |pth@novell.com --- Comment #1 from Thomas Biege <thomas@novell.com> 2009-11-17 12:20:30 UTC --- Philipp, can you have a look please. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c2 Georg Müller <georgmueller@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |georgmueller@gmx.net --- Comment #2 from Georg Müller <georgmueller@gmx.net> 2009-11-23 16:12:36 UTC --- I had the same problem. Changing "!" to "*" in /etc/shadow did it for me -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c3 --- Comment #3 from Henryk Hecht <kq8z67r6309fo9001@sneakemail.com> 2009-11-24 00:31:29 UTC --- !->* does work, but it shouldn't matter. I looked a little further, and the problem happens in pam_unix2.so of pam-modules during su's call to pam_acct_mgmt. The 11.1 version of pam-modules works fine. Another workaround I found, which does not involve editing shadow or downgrading, is to use "sudo -u postgres -i" instead. The latter obviously does not fix other problems, like the postgres init script or NX server. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c4 --- Comment #4 from Georg Müller <georgmueller@gmx.net> 2009-11-24 09:37:54 UTC --- In some new initial installations >= 11.1 I have no "!" at all in my /etc/shadow (they all have a "*"). My initial installation is older (10.x), and I think this is related to this. So it seems there was a change in semantics. A locked user ("passwd -l", "!" in shadow) is something different than a user without password. The documentation in this area is not the best ;) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c5 --- Comment #5 from Henryk Hecht <kq8z67r6309fo9001@sneakemail.com> 2009-11-25 00:35:29 UTC --- Yes, the systems I've seen this on all started before 11.1, though most passed through 11.1 on the way to 11.2. I think the only upgrade scenario that is well-tested now is clean install of the previous revision upgrading to the current. The documentation for "!"/"*" seems to be hiding from me at the moment. shadow(5) is silent on the subject, as is passwd(1). While I've seen the idea that "*" is for system accounts (e.g. postgres) and "!" is for "services" (i.e. things which you would never need to log in as), I'm not sure where this idea came from and it does not appear to be part of any standard. The "normal" interpretation of shadow is, I think, that anything that is not in [A-Z][a-z][0-9]./$ is equivalent and means the account is locked. "!" and "!!" seem to show up on a lot of different systems, as does "*", but in principal "^" or "@" should behave the same. Anyway, it is beside the point. Locked or not, root should be able to su to the account, as he can on every *nix. Even solaris, which has "NP" and "*LK*" with slightly less ambiguous semantics, does not prevent this in either case. In SuSE's case, the bug seems to have come in with pam_unix2.so's: 2009-02-09 Thorsten Kukuk * release version 2.7.2 * src/unix_passwd.c (pam_sm_chauthtok): Do password check always, not only in PRELIM. * po/*.po: Update translations. so it seems the fix is either a)revert/rework this change, b)make pam_acct_mgmt somehow not fail under this circumstance, c)modify the PAM section of su.c in coreutils. I do not know enough about PAM to tell what is correct; only that in the end, su from root should not care what is in the second field of /etc/shadow. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c6 Philipp Thomas <pth@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pth@novell.com AssignedTo|pth@novell.com |mc@novell.com --- Comment #6 from Philipp Thomas <pth@novell.com> 2009-11-25 17:48:21 UTC --- As this is a PAM issue and not su/coreutils I'm reassigning this to the cuurent pam maintainer. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c7 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|ASSIGNED |NEEDINFO Info Provider| |maintenance@opensuse.org --- Comment #7 from Michael Calmer <mc@novell.com> 2009-11-26 14:08:07 UTC --- Checking the password hash in acct_mgmt is wrong. It is checked in auth. So we should remove the check for "!" in acct_mgmt function of pam_unix2. Maintenance Team: a swampid for this, please. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c9 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jnelson-suse@jamponi.net --- Comment #9 from Michael Calmer <mc@novell.com> 2009-12-01 08:43:58 UTC --- *** Bug 556518 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=556518 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c10 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:29272 --- Comment #10 from Swamp Workflow Management <swamp@suse.com> 2009-12-02 16:39:14 UTC --- The SWAMPID for this issue is 29272. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/29272) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c Dirk Mueller <dmueller@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|maintenance@opensuse.org | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c11 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED Target Milestone|--- |Final --- Comment #11 from Michael Calmer <mc@novell.com> 2009-12-02 16:51:15 UTC --- Package submitted and patchinfo created. => fixed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c12 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |raffo@cdi.com --- Comment #12 from Anna Bernathova <anicka@novell.com> 2009-12-04 11:56:23 UTC --- *** Bug 559198 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=559198 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c13 Martin Barry <marty@supine.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |marty@supine.com --- Comment #13 from Martin Barry <marty@supine.com> 2009-12-16 09:05:07 UTC --- *** Bug 558409 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=558409 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c14 Henryk Hecht <nvbugs@hhecht.e4ward.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Component|Security |Security Resolution|FIXED | Product|openSUSE 11.2 |openSUSE 11.3 OS/Version|openSUSE 11.2 |openSUSE 11.3 --- Comment #14 from Henryk Hecht <nvbugs@hhecht.e4ward.com> 2010-08-07 00:57:01 UTC --- Reopening for 11.3 regression; same exact bug (probably with the same cause) seems to be in final; possibly patch from comment #11 didn't make it into factory? It would be nice to have a patch for 11.3, and make sure it gets applied to factory/11.4/whatever else needs it to avoid future regressions. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c15 --- Comment #15 from Jon Nelson <jnelson-suse@jamponi.net> 2010-08-07 01:00:28 UTC --- Not 10 minutes ago I hit this. A freshly installed postgres *cannot be started* unless one already knows the "trick" of changing '!' to '*'. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c16 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED CC| |lnussel@novell.com Component|Security |Security Resolution| |FIXED AssignedTo|mc@novell.com |security-team@suse.de Product|openSUSE 11.3 |openSUSE 11.2 --- Comment #16 from Ludwig Nussel <lnussel@novell.com> 2010-08-13 13:46:54 CEST --- this was an 11.2 bug an was fixed for 11.2. please leave it that way. the issue for 11.3 is tracked in e.g. bug 626517. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=556077 http://bugzilla.novell.com/show_bug.cgi?id=556077#c17 --- Comment #17 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (556077) was mentioned in https://build.opensuse.org/request/show/25415 11.2:Test / pam-modules -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com