Re: Cron jobs and root account locked on Lenny
Alexander Fortin wrote the following on 24.07.2008 23:09 /snip debug hi want to comment on the bugreport be my guest: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492307 -- bye Thilo key: 0x4A411E09 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cron jobs and root account locked on Lenny
On Jul 23, 6:50 pm, Andrei Popescu [EMAIL PROTECTED] wrote: I partially agree with the useless of the feauture, but Debian installer is asking if you want to allow root login or not, so I'm Only in expert mode ;) Uhm... well I always find difficult to define what a (Debian) expert need to know to be called so... Anyway, can you manually partition disks with raid and lvm stuff when you are not in expert mode? 'Cause actually it's the only expert thing I need to do at install time :D I'm not an expert, but a quick read through passwd(1) says account expiry should be set to '1', while your 'passwd -S' shows '-1', just like a normal account. How about trying to lock it again? Lock-unlock doesn't work On Jul 23, 8:10 pm, Sven Joachim [EMAIL PROTECTED] wrote: A comment in that bug suggests using usermod --lock root to lock the root account, that does seem to work. Yep, using usermod instead of passwd seems to work fine! So, to report a bug or not to? Which mailing list? Alex -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cron jobs and root account locked on Lenny
Alexander Fortin wrote the following on 24.07.2008 10:03 /snip Yep, using usermod instead of passwd seems to work fine! So, to report a bug or not to? Which mailing list? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389183 Alex HTH -- bye Thilo key: 0x4A411E09 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cron jobs and root account locked on Lenny
On Thu,24.Jul.08, 11:06:47, Thilo Six wrote: Alexander Fortin wrote the following on 24.07.2008 10:03 /snip Yep, using usermod instead of passwd seems to work fine! So, to report a bug or not to? Which mailing list? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389183 Interesting, the manpage passwd(1) says that 'passwd -l' should also set account expiry to 1, but it doesn't. Either passwd or the manpage is wrong, so I think this should be reported against the package passwd. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
Re: Cron jobs and root account locked on Lenny
Hi, Andrei Popescu [EMAIL PROTECTED] writes: Interesting, the manpage passwd(1) says that 'passwd -l' should also set account expiry to 1, but it doesn't. Either passwd or the manpage is wrong, so I think this should be reported against the package passwd. It sets a value to 1 in my /etc/shadow when I last used it. I assume that would be the expiry field? I've got passwd 1:4.1.1-2 installed (from testing). Regards, Ansgar -- PGP: 1024D/595FAD19 739E 2D09 0969 BEA9 9797 B055 DDB0 2FF7 595F AD19 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cron jobs and root account locked on Lenny
Andrei Popescu wrote the following on 24.07.2008 18:28 /snip --- man 1 passwd - -l, --lock Lock the named account. This option disables an account by changing the password to a value which matches no possible encrypted value, and by setting the account expiry field to 1. - Interesting, the manpage passwd(1) says that 'passwd -l' should also set account expiry to 1, but it doesn't. Either passwd or the manpage is wrong, so I think this should be reported against the package passwd. Regards, Andrei well here it does. Tested with both Debian lenny and Ubuntu hardy. Which version do you use? If you have a locked account without that expiry and use either of the above just 'lock' that account again and then take a look at /etc/shadow. -- bye Thilo key: 0x4A411E09 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cron jobs and root account locked on Lenny
On Thu,24.Jul.08, 18:47:20, Thilo Six wrote: well here it does. Tested with both Debian lenny and Ubuntu hardy. Which version do you use? I'm not the OP. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
Re: Cron jobs and root account locked on Lenny
Andrei Popescu wrote the following on 24.07.2008 22:04 well here it does. Tested with both Debian lenny and Ubuntu hardy. Which version do you use? I'm not the OP. Regards, Andrei I think that doesn't matter in this regard. You have said your passwd doesn't behave as mentioned in the manpage, which would be clearly a bug. I said i can reproduce exactly the behaviour mentioned in manpage and therefore seeking for an explanation of that divergence which resulted in the question which version you use. -- bye Thilo key: 0x4A411E09 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cron jobs and root account locked on Lenny
On Thu,24.Jul.08, 22:35:01, Thilo Six wrote: Andrei Popescu wrote the following on 24.07.2008 22:04 well here it does. Tested with both Debian lenny and Ubuntu hardy. Which version do you use? I'm not the OP. Regards, Andrei I think that doesn't matter in this regard. You have said your passwd doesn't behave as mentioned in the manpage, which would be clearly a bug. I never said *my* passwd doesn't lock, but the OP confirmed that his doesn't but usermod does. I just tested and on my machine 'passwd -l' and 'usermod -L' have the same effect, at least in the /etc/shadow file. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
Re: Cron jobs and root account locked on Lenny
On Jul 24, 6:50 pm, Thilo Six [EMAIL PROTECTED] wrote: well here it does. Tested with both Debian lenny and Ubuntu hardy. Which version do you use? If you have a locked account without that expiry and use either of the above just 'lock' that account again and then take a look at /etc/shadow. I'm on Lenny: klingon:/home/alieno# dpkg -l *passwd*|grep ^ii ii base-passwd 3.5.17 ii passwd 1:4.1.1-2 I previously fixed it using usermod -L as suggested by Sven Joachim, and it was working fine: [EMAIL PROTECTED]:~$ sudo su klingon:/home/alieno# passwd -S root root L 07/23/2008 0 9 7 -1 (no warnings and cronjobs ok) klingon:/home/alieno# passwd -l root Password changed. klingon:/home/alieno# passwd -S root root L 07/23/2008 0 9 7 -1 klingon:/home/alieno# head -1 /etc/shadow root:!$1$MwKDBs6O$H.ZfnYq7C.xzVUdHRmwL31:14084:0:9:7::1: So the passwd -S output is the same. But: klingon:/home/alieno# exit [EMAIL PROTECTED]:~$ sudo su Your account has expired; please contact your system administrator su: User account has expired (Ignored) klingon:/home/alieno# head -1 /etc/shadow root:!$1$MwKDBs6O$H.ZfnYq7C.xzVUdHRmwL31:14084:0:9:7::1: and from syslog: Jul 24 22:44:01 klingon CRON[4998]: User account has expired klingon:/home/alieno# passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully klingon:/home/alieno# passwd -S root root P 07/24/2008 0 9 7 -1 #klingon:/home/alieno# head -1 /etc/shadow root:$1$0pbophfn$B3EpqcFkcezuOYY1D6mNr/:14084:0:9:7::1: klingon:/home/alieno# exit [EMAIL PROTECTED]:~$ sudo su Your account has expired; please contact your system administrator su: User account has expired (Ignored) Locking back with usermod doesn't work anymore! klingon:/home/alieno# usermod -L root klingon:/home/alieno# head -1 /etc/shadow root:!$1$b/Xw.zn6$qMfTmi6zbxeM2nWIDqgMR.:14084:0:9:7::1: klingon:/home/alieno# passwd -S root root L 07/24/2008 0 9 7 -1 klingon:/home/alieno# exit [EMAIL PROTECTED]:~$ sudo su Your account has expired; please contact your system administrator su: User account has expired (Ignored) (and of course root cronjobs not working anymore) It works if i do klingon:/home/alieno# passwd -u root klingon:/home/alieno# passwd -S root P 07/24/2008 0 9 7 -1 klingon:/home/alieno# head -1 /etc/shadow root:$1$b/Xw.zn6$qMfTmi6zbxeM2nWIDqgMR.:14084:0:9:7::: klingon:/home/alieno# usermod -L root klingon:/home/alieno# passwd -S root L 07/24/2008 0 9 7 -1 klingon:/home/alieno# head -1 /etc/shadow root:!$1$b/Xw.zn6$qMfTmi6zbxeM2nWIDqgMR.:14084:0:9:7::: klingon:/home/alieno# exit [EMAIL PROTECTED]:~$ sudo su klingon:/home/alieno# and cronjobs are running ok -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Cron jobs and root account locked on Lenny
A few days ago (due to a broken harddisk) I've installed Lenny from scratch on my laptop. I've copied pretty much every configuration from the old installation (Etch) and everything seems good. Well, everything but a couple of things: first of all, at install time I chose no root login but only a user with sudo grants. So, the root account is locked: [EMAIL PROTECTED]:~$ sudo passwd -S root root L 07/21/2008 0 9 7 -1 Now, first difference I've noticed from the previous (Etch) install is: [EMAIL PROTECTED]:~$ sudo su - Your account has expired; please contact your system administrator su: User account has expired (Ignored) klingon:~# Ok, not so annoying, but I'm not sure it's the right message: shouldn't the account be locked and not expired? Anyway, this leads to the second, more important issue: crond is not running jobs owned by root. For example: syslog: Jul 22 20:17:01 klingon CRON[3060]: User account has expired auth.log: Jul 22 12:17:01 klingon CRON[3060]: pam_unix(cron:account): account root has expired (account expired) Of course, I could unlock root account, but I thought it was good practice to avoid root login from tty/ssh etc, and I'm pretty sure this configuration was working well under Etch. Could this be considered as a bug? Should I report it? Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cron jobs and root account locked on Lenny
On Wed,23.Jul.08, 00:11:35, Alexander Fortin wrote: [locked root account troubles] Of course, I could unlock root account, but I thought it was good practice to avoid root login from tty/ssh etc, and I'm pretty sure this configuration was working well under Etch. Could this be considered as a bug? Should I report it? I never understood what benefits this brings, the Ubuntu page explaining it didn't convince me. Also, as far as I understand (from the very same page) Ubuntu is patching some (many?) packages to make them work in this configuration. Of course, I may be completely wrong, in which case I'm sure somebody will contradict me with arguments and references :) Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
Re: Cron jobs and root account locked on Lenny
On Wed, 23 Jul 2008 13:10:26 +0300 Andrei Popescu [EMAIL PROTECTED] wrote: On Wed,23.Jul.08, 00:11:35, Alexander Fortin wrote: [locked root account troubles] Of course, I could unlock root account, but I thought it was good practice to avoid root login from tty/ssh etc, and I'm pretty sure this configuration was working well under Etch. Could this be considered as a bug? Should I report it? I never understood what benefits this brings, the Ubuntu page explaining it didn't convince me. I agree. I think it's really more annoying than anything. You can still use sudo if you want, but you also have the choice of using su (like, say, when sudo is fubared or you can't log in to your user account...). That said, I don't recommend allowing root login over ssh, but than can be disabled with sshd. -- Brian signature.asc Description: PGP signature
Re: Cron jobs and root account locked on Lenny
On Jul 23, 2:30 pm, Brian Marshall [EMAIL PROTECTED] wrote: That said, I don't recommend allowing root login over ssh, but than can be disabled with sshd. I partially agree with the useless of the feauture, but Debian installer is asking if you want to allow root login or not, so I'm pretty sure I'm not the only one on Lenny with locked root account and root cron jobs running, and I still think this could lead to confusion, especially if you were used to lock root accunt under Etch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cron jobs and root account locked on Lenny
On Wed,23.Jul.08, 09:00:22, Alexander Fortin wrote: On Jul 23, 2:30 pm, Brian Marshall [EMAIL PROTECTED] wrote: That said, I don't recommend allowing root login over ssh, but than can be disabled with sshd. I partially agree with the useless of the feauture, but Debian installer is asking if you want to allow root login or not, so I'm Only in expert mode ;) pretty sure I'm not the only one on Lenny with locked root account and root cron jobs running, and I still think this could lead to confusion, especially if you were used to lock root accunt under Etch. I'm not an expert, but a quick read through passwd(1) says account expiry should be set to '1', while your 'passwd -S' shows '-1', just like a normal account. How about trying to lock it again? Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
Re: Cron jobs and root account locked on Lenny
On 2008-07-23 18:46 +0200, Andrei Popescu wrote: I'm not an expert, but a quick read through passwd(1) says account expiry should be set to '1', while your 'passwd -S' shows '-1', just like a normal account. How about trying to lock it again? I tried that here, and it did not help. Probably a bug in passwd or pam. Didn't find anything in the BTS, but Ubuntu users see something similar: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/238755 A comment in that bug suggests using usermod --lock root to lock the root account, that does seem to work. Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]