Re: rawhide report: 20070120 changes

[Bernardo Innocenti <bernie develer com>]

On Saturday 20 January 2007 12:27, buildsys redhat com wrote:

> pam-0.99.7.0-1.fc7
> ------------------
> * Fri Jan 19 2007 Tomas Mraz <tmraz redhat com> 0.99.7.0-1
> - upgrade to new upstream version
> - drop pam_stack module as it is obsolete
> - some changes to silence rpmlint

Is it just me or after this update anybody and his dog can
login without typing a valid password in any account?

See:

 bernie bender:~$ su - openwrt
 Password: <type anything>
 openwrt bender:~$
 openwrt bender:~$ logout
 openwrt bender:~$ logout
 bender:/etc/pam.d# grep openwrt /etc/passwd /etc/shadow 
 /etc/passwd:openwrt:x:501:501:openwrt compiler:/usr/local/src/openwrt:/bin/bash
 /etc/shadow:openwrt:!!:13529::::::

I've installed this update yesterday in the evening and today
there were already rootkits and irc bots everywhere :)

My /etc/pam.d/system-auth looks sane to me:

---cut---
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
---cut---


-- 
   // Bernardo Innocenti
 \X/  bernie codewiz org