rawhide report: 20070120 changes
Tomas Mraz
tmraz at redhat.com
Mon Jan 22 13:10:48 UTC 2007
On Mon, 2007-01-22 at 07:21 +0100, Bernardo Innocenti wrote:
> On Saturday 20 January 2007 12:27, buildsys at redhat.com wrote:
>
> > pam-0.99.7.0-1.fc7
> > ------------------
> > * Fri Jan 19 2007 Tomas Mraz <tmraz at redhat.com> 0.99.7.0-1
> > - upgrade to new upstream version
> > - drop pam_stack module as it is obsolete
> > - some changes to silence rpmlint
>
> Is it just me or after this update anybody and his dog can
> login without typing a valid password in any account?
>
> See:
>
> bernie at bender:~$ su - openwrt
> Password: <type anything>
> openwrt at bender:~$
> openwrt at bender:~$ logout
> openwrt at bender:~$ logout
> bender:/etc/pam.d# grep openwrt /etc/passwd /etc/shadow
> /etc/passwd:openwrt:x:501:501:openwrt compiler:/usr/local/src/openwrt:/bin/bash
> /etc/shadow:openwrt:!!:13529::::::
>
> I've installed this update yesterday in the evening and today
> there were already rootkits and irc bots everywhere :)
>
Well it is not just you. And I am ashamed I didn't catch this problem
when reviewing changes in new upstream version. :( It won't allow anyone
to any account but only accounts with only two characters in passwd
field - like !! and similar. It is very serious anyway.
Should be fixed in pam-0.99.7.0-2.fc7.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the fedora-devel-list
mailing list