Your message dated Wed, 27 Sep 2023 07:11:14 +0000
with message-id <e1qlohw-00c45p...@fasolo.debian.org>
and subject line Bug#1041547: fixed in shadow 1:4.13+dfsg1-2
has caused the Debian Bug report #1041547,
regarding login: I can login as root without password despite it being forbidden
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1041547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041547
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: login
Version: 1:4.13+dfsg1-1+b1
Severity: serious
X-Debbugs-Cc: ircu...@gmail.com
Dear Maintainer,
On a newly installed debian bookworm /usr/share/doc/passwd/NEWS.Debian.gz
mentions a new PREVENT_NO_AUTH option that is supposed to prevent login to
passwordless accounts.
The option is found in /etc/login.defs and has the default value:
PREVENT_NO_AUTH superuser
I removed root password using `passwd -d root` so that `grep root /etc/shadow`
reads:
root::19519:0:99999:7:::
I can now login to root on a tty just by typing root as the login name. I can
also login to root just by typing `su` from a regular user account.
"PREVENT_NO_AUTH superuser" has no effect.
I then changed the option to "PREVENT_NO_AUTH yes", which is supposed to
prevent all passwordless account login.
I created a new user account `useradd -m -s /bin/bash testuser` and deleted its
password `passwd -d testuser`. If I run `grep testuser /etc/shadow` it reads:
testuser::19558:0:99999:7:::
I can now also login to this account on a tty without any password. `su
newuser` also doesn't need any password. I can also still login to the root
account by doing `su`.
https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/su.c/?hl=504#L504
and
https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/login.c/?hl=980#L980
indicate that this should not be possible. It looks like PREVENT_NO_AUTH
doesn't do anything at all.
This was replicated on IRC by another user too.
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages login depends on:
ii libaudit1 1:3.0.9-1
ii libc6 2.36-9
ii libcrypt1 1:4.4.33-2
ii libpam-modules 1.5.2-6
ii libpam-runtime 1.5.2-6
ii libpam0g 1.5.2-6
login recommends no packages.
login suggests no packages.
-- Configuration Files:
/etc/login.defs changed:
MAIL_DIR /var/mail
FAILLOG_ENAB yes
LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
FTMP_FILE /var/log/btmp
SU_NAME su
HUSHLOGIN_FILE .hushlogin
ENV_SUPATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
TTYGROUP tty
TTYPERM 0600
ERASECHAR 0177
KILLCHAR 025
UMASK 022
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
GID_MIN 1000
GID_MAX 60000
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
DEFAULT_HOME yes
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
NONEXISTENT /nonexistent
PREVENT_NO_AUTH yes
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: shadow
Source-Version: 1:4.13+dfsg1-2
Done: Balint Reczey <bal...@balintreczey.hu>
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1041...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Balint Reczey <bal...@balintreczey.hu> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 Sep 2023 22:01:52 +0200
Source: shadow
Built-For-Profiles: noudeb
Architecture: source
Version: 1:4.13+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Shadow package maintainers
<pkg-shadow-de...@lists.alioth.debian.org>
Changed-By: Balint Reczey <bal...@balintreczey.hu>
Closes: 1034482 1040064 1041547 1051062 1051827
Changes:
shadow (1:4.13+dfsg1-2) unstable; urgency=medium
.
[ Balint Reczey ]
* debian/gitlab-ci.yml: Use sudo to fix reprotest test
* debian/login.pam: Drop reference to Debian Etch (Closes: #1040064)
* debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting
authentication.
Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547)
* Cherry-pick upstream patch to fix gpasswd passwd leak
(CVE-2023-4641) (Closes: #1051062)
* Cherry-pick upstream patch to fix chfn vulnerability allowing injection of
control characters into some /etc/passwd fields.
(CVE-2023-29383) (Closes: #1034482)
.
[ Gioele Barabucci ]
* Support <nodoc> build profile
`xsltproc`, `docbook` and all other XML-related packages are not needed
when the `<nodoc>` build profile is active, as long as `./configure` is
called with `--disable-man`. (Closes: #1051827)
Checksums-Sha1:
c296cd50c74c5b50d050e1ac23085ac10ea87b83 2447 shadow_4.13+dfsg1-2.dsc
62928d4593fc88611ac506f4e7c0c8e2cd2a1d12 82300
shadow_4.13+dfsg1-2.debian.tar.xz
d439a6fd94c942288dabd2be42bd002f122c85ce 8923
shadow_4.13+dfsg1-2_source.buildinfo
Checksums-Sha256:
cac949c2071dc8955c3fff22e4a113a700b9f68a01b7583b64cfae55c2b2e678 2447
shadow_4.13+dfsg1-2.dsc
0f59c95526a4dc89c70b2fee357f05617d4572c6e94537d21019eed7a22471c6 82300
shadow_4.13+dfsg1-2.debian.tar.xz
8081d4dde05a7a5f3f4649e4a1ceade8631256a36a83135de91fd3726baf030d 8923
shadow_4.13+dfsg1-2_source.buildinfo
Files:
f39e733513794a93703ebeee93a1aab7 2447 admin required shadow_4.13+dfsg1-2.dsc
091889878b164ff691ac7ba7c4d4b984 82300 admin required
shadow_4.13+dfsg1-2.debian.tar.xz
2aa00609c93a76c74c646e8c1399570e 8923 admin required
shadow_4.13+dfsg1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEI/PvTgXX55rLQUfDg6KBkWslS0UFAmUTzsYACgkQg6KBkWsl
S0WWmQ//bvtIuPzcYligvZKZm8TOMX00Dl6YTDxtPKHgk3W62df3E61UQk/tq8Qr
hO+FHA6x9pdJ4VXLfeXSgcie8oCUGpQrXQs2vEZW7tE34CjBCpQq5En0eeFQ+3av
Kjpy7jWFhuT2/enj13xqLvzCeMkHEa7GZgGmFDVgteqh3y5AFV2uWshwc1zAXIyE
Dk6QnykFPxrGEASKTL7p20HDKgaPgXKIvIO3GJMqN88u3qZnDivNZSTmEKP9ICjN
zbxzEF4PDbqPM0ON4QGIGTq1D926ffEp16f94aQSjIiFeMVO623+SwCwDMeXSfG+
V5yXsynDswMPS9sHkbyPeFQIZWctwnGasCX3VDrgBTKhUf5zj4gxF65RFN0btzNj
h/0GoFDJ2rhE23JbBhyFKeI8+90xRrziPzBSde5CTywHR919T9XJzOdT4m5ZUB7P
Fh0AOJX9hvZCAn2JtGgSE28945SmttJwP2MZVVn8gzbQCSDlXcNaND24Rh5jgReN
TU/aC7k+9JHaxfPiw0KbpUO9sG/vLNF+paSQw4f75EgD93AqFOOwaeW1Z4qB0sZ+
tKRJ1cFsiHwZ0C8BsiQvucU/yZSmVwKMC/+qyeS9IGaZuKhINM4teY+DZ2a0H+Dg
sn7n+YP73sy5auFNMQh7SEVVkpWuTRMx5VVOvb+bvn0OSvw+kVI=
=2iyr
-----END PGP SIGNATURE-----
--- End Message ---