Your message dated Sun, 16 Mar 2008 09:32:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#446327: fixed in pam 0.99.7.1-6
has caused the Debian Bug report #446327,
regarding pam_tally audit option locks out root
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
446327: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446327
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libpam-modules
Version: 0.79-4
Severity: important
Tags: patch
this problem was detected on fedora 7, debugged & patched on debian etch,
and reported from lenny/testing, but the problem is applicable to all
distributions as the problem exists in the latest upstream version
(Linux-PAM 0.99.9.0). please relay this to upstream.
if a user specifies the "audit" option, then it also triggers the
"even_deny_root_account" option. why? the audit option is defined as
decimal 100, not octal 100, which evaluates to true when bit-wise and-ed
with even_deny_root (and no_reset).
attached patch corrects the simple oversight.
i was tempted to gives this a severity of "serious" because i can see some
unfortunate user getting locked out of their host at a remote data center
because all available accounts, including root, are denied login due to a
brute force attack.
but the severity should be irrelevant and a newly updated package pushed
out to all debian versions rather quickly as the problem is easy solved
with the attached patch, right? :-D
corey
--
[EMAIL PROTECTED]
--- Linux-PAM/modules/pam_tally/pam_tally.c~ 2007-10-12 01:49:15.000000000 +0000
+++ Linux-PAM/modules/pam_tally/pam_tally.c 2007-10-12 03:26:04.000000000 +0000
@@ -95,7 +95,7 @@ struct tally_options {
#define OPT_PER_USER 010
#define OPT_NO_LOCK_TIME 020
#define OPT_NO_RESET 040
-#define OPT_AUDIT 100
+#define OPT_AUDIT 0100
/*---------------------------------------------------------------------*/
--- End Message ---
--- Begin Message ---
Source: pam
Source-Version: 0.99.7.1-6
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:
libpam-cracklib_0.99.7.1-6_amd64.deb
to pool/main/p/pam/libpam-cracklib_0.99.7.1-6_amd64.deb
libpam-doc_0.99.7.1-6_all.deb
to pool/main/p/pam/libpam-doc_0.99.7.1-6_all.deb
libpam-modules_0.99.7.1-6_amd64.deb
to pool/main/p/pam/libpam-modules_0.99.7.1-6_amd64.deb
libpam-runtime_0.99.7.1-6_all.deb
to pool/main/p/pam/libpam-runtime_0.99.7.1-6_all.deb
libpam0g-dev_0.99.7.1-6_amd64.deb
to pool/main/p/pam/libpam0g-dev_0.99.7.1-6_amd64.deb
libpam0g_0.99.7.1-6_amd64.deb
to pool/main/p/pam/libpam0g_0.99.7.1-6_amd64.deb
pam_0.99.7.1-6.diff.gz
to pool/main/p/pam/pam_0.99.7.1-6.diff.gz
pam_0.99.7.1-6.dsc
to pool/main/p/pam/pam_0.99.7.1-6.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <[EMAIL PROTECTED]> (supplier of updated pam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 16 Mar 2008 02:06:28 -0700
Source: pam
Binary: libpam0g libpam-modules libpam-runtime libpam0g-dev libpam-cracklib
libpam-doc
Architecture: source all amd64
Version: 0.99.7.1-6
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <[EMAIL PROTECTED]>
Changed-By: Steve Langasek <[EMAIL PROTECTED]>
Description:
libpam-cracklib - PAM module to enable cracklib support
libpam-doc - Documentation of PAM
libpam-modules - Pluggable Authentication Modules for PAM
libpam-runtime - Runtime support for the PAM library
libpam0g - Pluggable Authentication Modules library
libpam0g-dev - Development files for PAM
Closes: 444437 444479 444566 444758 445022 445869 446327 446584 448930 457042
457674 458264
Changes:
pam (0.99.7.1-6) unstable; urgency=low
.
* Debconf translations:
- Updated Vietnamese, thanks to Clytie Siddall <[EMAIL PROTECTED]>
(closes: #444437)
- Updated Spanish, thanks to Javier Fernández-Sanguino Peña
<[EMAIL PROTECTED]> (closes: #444479)
- Updated German, thanks to Sven Joachim <[EMAIL PROTECTED]>
(closes: #444566)
- Galician, thanks to Jacobo Tarrio <[EMAIL PROTECTED]> (closes: #444758)
- Updated Czech, thanks to Miroslav Kure <[EMAIL PROTECTED]>
(closes: #445022)
- French, thanks to Cyril Brulebois <[EMAIL PROTECTED]>
(closes: #445869)
- Japanese, thanks to Kenshi Muto <[EMAIL PROTECTED]> (closes: #446584)
- Dutch, thanks to Bart Cornelis <[EMAIL PROTECTED]> (closes: #448930)
- Basque, thanks to Piarres Beobide <[EMAIL PROTECTED]> (closes: #457042)
- Updated Finnish, thanks to Esko Arajärvi <[EMAIL PROTECTED]> (closes:
#458264)
- Swedish, thanks to Christer Andersson <[EMAIL PROTECTED]>
(closes: #457674)
* Make sure the "audit" option is specified in octal instead of in decimal,
so that it doesn't randomly set other options. Thanks to Corey Wright
<[EMAIL PROTECTED]> for the catch. Closes: #446327.
Files:
8e9c1818f3a6cce0a5d6461a489946fd 1091 libs optional pam_0.99.7.1-6.dsc
ad6a3c26ea088a6c6e91e55b900b4922 120938 libs optional pam_0.99.7.1-6.diff.gz
d6ab315f2a0652399f03bec21896063f 99366 admin required
libpam-runtime_0.99.7.1-6_all.deb
207602c992d1cb1d5a1f9a4537f41c9e 267474 doc optional
libpam-doc_0.99.7.1-6_all.deb
094bd4f22b33da888b9faa0bf3e774c4 89620 libs required
libpam0g_0.99.7.1-6_amd64.deb
3ec96248d5b2f2f1ef2b385ea0be3b68 262392 libs required
libpam-modules_0.99.7.1-6_amd64.deb
107dfb0f572df785c25d5d8e8e2c3df5 145134 libdevel optional
libpam0g-dev_0.99.7.1-6_amd64.deb
4cffc8e548d2e3a4fd650f888e6b4002 50870 libs optional
libpam-cracklib_0.99.7.1-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH3OX1KN6ufymYLloRAsnbAKCw8qa8m9ZUSG9OkLknumTR9a7zowCfTfm/
X7SFOmw5OpP3i4agGhUurZ0=
=aLSJ
-----END PGP SIGNATURE-----
--- End Message ---
