[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rawhide report: 20070120 changes



On Mon, 2007-01-22 at 07:21 +0100, Bernardo Innocenti wrote:
> On Saturday 20 January 2007 12:27, buildsys redhat com wrote:
> 
> > pam-0.99.7.0-1.fc7
> > ------------------
> > * Fri Jan 19 2007 Tomas Mraz <tmraz redhat com> 0.99.7.0-1
> > - upgrade to new upstream version
> > - drop pam_stack module as it is obsolete
> > - some changes to silence rpmlint
> 
> Is it just me or after this update anybody and his dog can
> login without typing a valid password in any account?
> 
> See:
> 
>  bernie bender:~$ su - openwrt
>  Password: <type anything>
>  openwrt bender:~$
>  openwrt bender:~$ logout
>  openwrt bender:~$ logout
>  bender:/etc/pam.d# grep openwrt /etc/passwd /etc/shadow 
>  /etc/passwd:openwrt:x:501:501:openwrt compiler:/usr/local/src/openwrt:/bin/bash
>  /etc/shadow:openwrt:!!:13529::::::
> 
> I've installed this update yesterday in the evening and today
> there were already rootkits and irc bots everywhere :)
> 
Well it is not just you. And I am ashamed I didn't catch this problem
when reviewing changes in new upstream version. :( It won't allow anyone
to any account but only accounts with only two characters in passwd
field - like !! and similar. It is very serious anyway.
Should be fixed in pam-0.99.7.0-2.fc7.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]