Your message dated Wed, 27 Sep 2023 07:11:14 +0000 with message-id <e1qlohw-00c45p...@fasolo.debian.org> and subject line Bug#1041547: fixed in shadow 1:4.13+dfsg1-2 has caused the Debian Bug report #1041547, regarding login: I can login as root without password despite it being forbidden to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1041547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041547 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: login Version: 1:4.13+dfsg1-1+b1 Severity: serious X-Debbugs-Cc: ircu...@gmail.com Dear Maintainer, On a newly installed debian bookworm /usr/share/doc/passwd/NEWS.Debian.gz mentions a new PREVENT_NO_AUTH option that is supposed to prevent login to passwordless accounts. The option is found in /etc/login.defs and has the default value: PREVENT_NO_AUTH superuser I removed root password using `passwd -d root` so that `grep root /etc/shadow` reads: root::19519:0:99999:7::: I can now login to root on a tty just by typing root as the login name. I can also login to root just by typing `su` from a regular user account. "PREVENT_NO_AUTH superuser" has no effect. I then changed the option to "PREVENT_NO_AUTH yes", which is supposed to prevent all passwordless account login. I created a new user account `useradd -m -s /bin/bash testuser` and deleted its password `passwd -d testuser`. If I run `grep testuser /etc/shadow` it reads: testuser::19558:0:99999:7::: I can now also login to this account on a tty without any password. `su newuser` also doesn't need any password. I can also still login to the root account by doing `su`. https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/su.c/?hl=504#L504 and https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/login.c/?hl=980#L980 indicate that this should not be possible. It looks like PREVENT_NO_AUTH doesn't do anything at all. This was replicated on IRC by another user too. -- System Information: Debian Release: 12.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-9-amd64 (SMP w/1 CPU thread; PREEMPT) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages login depends on: ii libaudit1 1:3.0.9-1 ii libc6 2.36-9 ii libcrypt1 1:4.4.33-2 ii libpam-modules 1.5.2-6 ii libpam-runtime 1.5.2-6 ii libpam0g 1.5.2-6 login recommends no packages. login suggests no packages. -- Configuration Files: /etc/login.defs changed: MAIL_DIR /var/mail FAILLOG_ENAB yes LOG_UNKFAIL_ENAB no LOG_OK_LOGINS no SYSLOG_SU_ENAB yes SYSLOG_SG_ENAB yes FTMP_FILE /var/log/btmp SU_NAME su HUSHLOGIN_FILE .hushlogin ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games TTYGROUP tty TTYPERM 0600 ERASECHAR 0177 KILLCHAR 025 UMASK 022 PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 SUB_UID_MIN 100000 SUB_UID_MAX 600100000 SUB_UID_COUNT 65536 GID_MIN 1000 GID_MAX 60000 SUB_GID_MIN 100000 SUB_GID_MAX 600100000 SUB_GID_COUNT 65536 LOGIN_RETRIES 5 LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh DEFAULT_HOME yes USERGROUPS_ENAB yes ENCRYPT_METHOD SHA512 NONEXISTENT /nonexistent PREVENT_NO_AUTH yes -- no debconf information
--- End Message ---
--- Begin Message ---Source: shadow Source-Version: 1:4.13+dfsg1-2 Done: Balint Reczey <bal...@balintreczey.hu> We believe that the bug you reported is fixed in the latest version of shadow, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1041...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Balint Reczey <bal...@balintreczey.hu> (supplier of updated shadow package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 26 Sep 2023 22:01:52 +0200 Source: shadow Built-For-Profiles: noudeb Architecture: source Version: 1:4.13+dfsg1-2 Distribution: unstable Urgency: medium Maintainer: Shadow package maintainers <pkg-shadow-de...@lists.alioth.debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Closes: 1034482 1040064 1041547 1051062 1051827 Changes: shadow (1:4.13+dfsg1-2) unstable; urgency=medium . [ Balint Reczey ] * debian/gitlab-ci.yml: Use sudo to fix reprotest test * debian/login.pam: Drop reference to Debian Etch (Closes: #1040064) * debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication. Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547) * Cherry-pick upstream patch to fix gpasswd passwd leak (CVE-2023-4641) (Closes: #1051062) * Cherry-pick upstream patch to fix chfn vulnerability allowing injection of control characters into some /etc/passwd fields. (CVE-2023-29383) (Closes: #1034482) . [ Gioele Barabucci ] * Support <nodoc> build profile `xsltproc`, `docbook` and all other XML-related packages are not needed when the `<nodoc>` build profile is active, as long as `./configure` is called with `--disable-man`. (Closes: #1051827) Checksums-Sha1: c296cd50c74c5b50d050e1ac23085ac10ea87b83 2447 shadow_4.13+dfsg1-2.dsc 62928d4593fc88611ac506f4e7c0c8e2cd2a1d12 82300 shadow_4.13+dfsg1-2.debian.tar.xz d439a6fd94c942288dabd2be42bd002f122c85ce 8923 shadow_4.13+dfsg1-2_source.buildinfo Checksums-Sha256: cac949c2071dc8955c3fff22e4a113a700b9f68a01b7583b64cfae55c2b2e678 2447 shadow_4.13+dfsg1-2.dsc 0f59c95526a4dc89c70b2fee357f05617d4572c6e94537d21019eed7a22471c6 82300 shadow_4.13+dfsg1-2.debian.tar.xz 8081d4dde05a7a5f3f4649e4a1ceade8631256a36a83135de91fd3726baf030d 8923 shadow_4.13+dfsg1-2_source.buildinfo Files: f39e733513794a93703ebeee93a1aab7 2447 admin required shadow_4.13+dfsg1-2.dsc 091889878b164ff691ac7ba7c4d4b984 82300 admin required shadow_4.13+dfsg1-2.debian.tar.xz 2aa00609c93a76c74c646e8c1399570e 8923 admin required shadow_4.13+dfsg1-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEI/PvTgXX55rLQUfDg6KBkWslS0UFAmUTzsYACgkQg6KBkWsl S0WWmQ//bvtIuPzcYligvZKZm8TOMX00Dl6YTDxtPKHgk3W62df3E61UQk/tq8Qr hO+FHA6x9pdJ4VXLfeXSgcie8oCUGpQrXQs2vEZW7tE34CjBCpQq5En0eeFQ+3av Kjpy7jWFhuT2/enj13xqLvzCeMkHEa7GZgGmFDVgteqh3y5AFV2uWshwc1zAXIyE Dk6QnykFPxrGEASKTL7p20HDKgaPgXKIvIO3GJMqN88u3qZnDivNZSTmEKP9ICjN zbxzEF4PDbqPM0ON4QGIGTq1D926ffEp16f94aQSjIiFeMVO623+SwCwDMeXSfG+ V5yXsynDswMPS9sHkbyPeFQIZWctwnGasCX3VDrgBTKhUf5zj4gxF65RFN0btzNj h/0GoFDJ2rhE23JbBhyFKeI8+90xRrziPzBSde5CTywHR919T9XJzOdT4m5ZUB7P Fh0AOJX9hvZCAn2JtGgSE28945SmttJwP2MZVVn8gzbQCSDlXcNaND24Rh5jgReN TU/aC7k+9JHaxfPiw0KbpUO9sG/vLNF+paSQw4f75EgD93AqFOOwaeW1Z4qB0sZ+ tKRJ1cFsiHwZ0C8BsiQvucU/yZSmVwKMC/+qyeS9IGaZuKhINM4teY+DZ2a0H+Dg sn7n+YP73sy5auFNMQh7SEVVkpWuTRMx5VVOvb+bvn0OSvw+kVI= =2iyr -----END PGP SIGNATURE-----
--- End Message ---
