[opensuse-factory] "su nobody" fails?
After upgrading openSUSE 11.1 to openSUSE 11.2 (Milestone 8) I saw in log files, that "su nobody" no longer works. Switching to nobody is used for instance during (remote) login using XDM, KDM etc. From /var/log/xdm.errors: (EE) Failed to load module "freetype" (module does not exist, 0) (EE) config/hal: NewInputDeviceRequest failed (8) (EE) config/hal: NewInputDeviceRequest failed (8) (EE) config/hal: NewInputDeviceRequest failed (8) Driver not XRANDR 1.2 capable, ignoring DISPLAYMANAGER_RANDR_MODE_* settings su: incorrect password 0 items in XFree86_VT property! "su nobody" also fails in command line: mybox:~ # id uid=0(root) gid=0(root) Gruppen=0(root) mybox:~ # su nobody su: incorrect password Any ideas? Here is some additional information: 1) It has nothing to do with "Apparmor" (tested with default kernel and with Apparmor-free kernel) 2) mybox:~ # passwd -S nobody nobody LK 05/17/1994 0 10000 -1 -1 3) mybox:~ # grep nobody /etc/passwd /etc/shadow /etc/passwd:nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash /etc/shadow:nobody:!!:8902:0:10000:::: 3) mybox:~ # cat /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so auth include common-auth account include common-account password include common-password session include common-session session optional pam_xauth.so 4) From /var/log/messages Oct 8 11:39:14 mybox su: FAILED SU (to nobody) bv on /dev/pts/3 Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Thursday 08 October 2009 11:46:14 Bjoern Voigt wrote:
3) mybox:~ # grep nobody /etc/passwd /etc/shadow /etc/passwd:nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash /etc/shadow:nobody:!!:8902:0:10000::::
There is the problem, those !! things there. That should be * instead of !! Not sure how that got in there though, on my M8 it is * Anders -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Anders Johansson
On Thursday 08 October 2009 11:46:14 Bjoern Voigt wrote:
3) mybox:~ # grep nobody /etc/passwd /etc/shadow /etc/passwd:nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash /etc/shadow:nobody:!!:8902:0:10000::::
There is the problem, those !! things there. That should be * instead of !!
BTW: does the group(1) command on Suse still allow to become a group if the file /etc/group has an empty passwd field for the related group? This would be a security risk as the traditinal UNIX behavior is to disallow group(1) for groups with wmpty passwd fields. Jörg -- EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin js@cs.tu-berlin.de (uni) joerg.schilling@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Oct 08, 09 13:03:43 +0200, Joerg Schilling wrote:
Anders Johansson
wrote: BTW: does the group(1) command on Suse still allow to become a group if the file /etc/group has an empty passwd field for the related group? This would be a security risk as the traditinal UNIX behavior is to disallow group(1) for groups with wmpty passwd fields.
SUSE does not have group(1) command. We have groups(1) and newgrp(1) and group(5). If you are questioning the behaviour of newgrp, yes, I believe an empty password should mean entering the group without password is permitted. I don't have any traditional references at hand. Solaris 5.9 man page appears to agrees with our man page, they say: solaris$ man 1 newgrp A password is demanded if the group has a password and the user is not listed in /etc/group as being a member of that group. linux$ man 1 newgrp A password is requested if the group has a password and the user is not listed in the group file as being a member of that group. What is the rationale for disregarding the empty password? thanks, JW- -- o \ Juergen Weigert paint it green! __/ _=======.=======_ <V> | jw@suse.de back to ascii! __/ _---|____________\/ \ | 0911 74053-508 __/ (____/ /\ (/) | _____________________________/ _/ \_ vim:set sw=2 wm=8 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Juergen Weigert
SUSE does not have group(1) command. We have groups(1) and newgrp(1) and group(5).
Sorry, I was talkng about newgrp(1).
If you are questioning the behaviour of newgrp, yes, I believe an empty password should mean entering the group without password is permitted.
I don't have any traditional references at hand. Solaris 5.9 man page appears to agrees with our man page, they say:
solaris$ man 1 newgrp A password is demanded if the group has a password and the user is not listed in /etc/group as being a member of that group.
linux$ man 1 newgrp A password is requested if the group has a password and the user is not listed in the group file as being a member of that group.
What is the rationale for disregarding the empty password?
A traditional group looks like this: root::0: other::1:root bin::2:root,daemon sys::3:root,bin,adm adm::4:root,daemon uucp::5:root mail::6:root and is distributed via naming services like NIS. For this reason empty passwd entries are usual. While an empty passwd field in the passwd file means no passwd and grant everybody, the same in the group file means: "Do not allow newgrp". And BTW: Solaris "man group" does not agree with the behavior of the newgrp utility ;-) This is from newgrp.c /* * newgrp [-l | -] [group] * * rules * if no arg, group id in password file is used * else if group id == id in password file * else if login name is in member list * else if password is present and user knows it * else too bad */ Jörg -- EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin js@cs.tu-berlin.de (uni) joerg.schilling@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Anders Johansson wrote:
On Thursday 08 October 2009 11:46:14 Bjoern Voigt wrote:
3) mybox:~ # grep nobody /etc/passwd /etc/shadow /etc/passwd:nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash /etc/shadow:nobody:!!:8902:0:10000::::
There is the problem, those !! things there. That should be * instead of !!
Not sure how that got in there though, on my M8 it is *
Thank you. "su nobody" now works again on my openSUSE 11.2 system. Anyway "su" works different in openSUSE 11.1 and 11.2. On a system with openSUSE 11.1 "su nobody" succeeds also with "nobody:!!:8902:0:10000::::" in /etc/shadow. Do you know, why some system users have a "*" (bin, daemon, ftp, ..., nobody) and others have a "!" (dhcpd, fax, haldaemon, ...)? I probably did not created or changed them manually. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Anders Johansson wrote:
On Thursday 08 October 2009 11:46:14 Bjoern Voigt wrote:
3) mybox:~ # grep nobody /etc/passwd /etc/shadow /etc/passwd:nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash /etc/shadow:nobody:!!:8902:0:10000::::
There is the problem, those !! things there. That should be * instead of !!
Not sure how that got in there though, on my M8 it is The problem also affects my cron jobs. Here /etc/cron.daily/leafnode can not run, because also system user "news" has a "!!" password. Changing all system user passwords from "!!" to "*" also solves this problem.
Björn
Betreff: cronjob@chemnitz - daily - FAILURE
Datum: Fri, 09 Oct 2009 09:48:50 +0200
Von: Administrator
participants (4)
-
Anders Johansson
-
Bjoern Voigt
-
Joerg.Schilling@fokus.fraunhofer.de
-
Juergen Weigert