Anders Johansson wrote:

On Thursday 08 October 2009 11:46:14 Bjoern Voigt wrote:

...

3) mybox:~ # grep nobody /etc/passwd /etc/shadow /etc/passwd:nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash /etc/shadow:nobody:!!:8902:0:10000::::

There is the problem, those !! things there. That should be * instead of !!

BTW: does the group(1) command on Suse still allow to become a group if the file /etc/group has an empty passwd field for the related group? This would be a security risk as the traditinal UNIX behavior is to disallow group(1) for groups with wmpty passwd fields. Jörg -- EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin js@cs.tu-berlin.de (uni) joerg.schilling@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Juergen Weigert wrote:

SUSE does not have group(1) command. We have groups(1) and newgrp(1) and group(5).

Sorry, I was talkng about newgrp(1).

If you are questioning the behaviour of newgrp, yes, I believe an empty password should mean entering the group without password is permitted.

I don't have any traditional references at hand. Solaris 5.9 man page appears to agrees with our man page, they say:

solaris$ man 1 newgrp A password is demanded if the group has a password and the user is not listed in /etc/group as being a member of that group.

linux$ man 1 newgrp A password is requested if the group has a password and the user is not listed in the group file as being a member of that group.

What is the rationale for disregarding the empty password?

A traditional group looks like this: root::0: other::1:root bin::2:root,daemon sys::3:root,bin,adm adm::4:root,daemon uucp::5:root mail::6:root and is distributed via naming services like NIS. For this reason empty passwd entries are usual. While an empty passwd field in the passwd file means no passwd and grant everybody, the same in the group file means: "Do not allow newgrp". And BTW: Solaris "man group" does not agree with the behavior of the newgrp utility ;-) This is from newgrp.c /* * newgrp [-l | -] [group] * * rules * if no arg, group id in password file is used * else if group id == id in password file * else if login name is in member list * else if password is present and user knows it * else too bad */ Jörg -- EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin js@cs.tu-berlin.de (uni) joerg.schilling@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Anders Johansson wrote:

On Thursday 08 October 2009 11:46:14 Bjoern Voigt wrote:

...

3) mybox:~ # grep nobody /etc/passwd /etc/shadow /etc/passwd:nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash /etc/shadow:nobody:!!:8902:0:10000::::

There is the problem, those !! things there. That should be * instead of !!

Not sure how that got in there though, on my M8 it is The problem also affects my cron jobs. Here /etc/cron.daily/leafnode can not run, because also system user "news" has a "!!" password. Changing all system user passwords from "!!" to "*" also solves this problem.

Björn Betreff: cronjob@chemnitz - daily - FAILURE Datum: Fri, 09 Oct 2009 09:48:50 +0200 Von: Administrator An: root@mybox.tld running daily cronjob scripts SCRIPT: leafnode exited with RETURNCODE = 1. SCRIPT: output (stdout && stderr) follows su: incorrect password SCRIPT: leafnode ------- END OF OUTPUT SCRIPT: output (stdout && stderr) follows Reload process accountingShutting down process accounting..done Starting process accounting..done Reload httpd2 (graceful restart)..done Reload syslog service..done SCRIPT: logrotate ------- END OF OUTPUT SCRIPT: output (stdout && stderr) follows [...] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org