On Saturday 20 January 2007 12:27, buildsys@xxxxxxxxxx wrote: > pam-0.99.7.0-1.fc7 > ------------------ > * Fri Jan 19 2007 Tomas Mraz <tmraz@xxxxxxxxxx> 0.99.7.0-1 > - upgrade to new upstream version > - drop pam_stack module as it is obsolete > - some changes to silence rpmlint Is it just me or after this update anybody and his dog can login without typing a valid password in any account? See: bernie@bender:~$ su - openwrt Password: <type anything> openwrt@bender:~$ openwrt@bender:~$ logout openwrt@bender:~$ logout bender:/etc/pam.d# grep openwrt /etc/passwd /etc/shadow /etc/passwd:openwrt:x:501:501:openwrt compiler:/usr/local/src/openwrt:/bin/bash /etc/shadow:openwrt:!!:13529:::::: I've installed this update yesterday in the evening and today there were already rootkits and irc bots everywhere :) My /etc/pam.d/system-auth looks sane to me: ---cut--- auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so ---cut--- -- // Bernardo Innocenti \X/ bernie@xxxxxxxxxxx -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
