Re: rawhide report: 20070120 changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2007-01-22 at 07:21 +0100, Bernardo Innocenti wrote:
> On Saturday 20 January 2007 12:27, buildsys@xxxxxxxxxx wrote:
> 
> > pam-0.99.7.0-1.fc7
> > ------------------
> > * Fri Jan 19 2007 Tomas Mraz <tmraz@xxxxxxxxxx> 0.99.7.0-1
> > - upgrade to new upstream version
> > - drop pam_stack module as it is obsolete
> > - some changes to silence rpmlint
> 
> Is it just me or after this update anybody and his dog can
> login without typing a valid password in any account?
> 
> See:
> 
>  bernie@bender:~$ su - openwrt
>  Password: <type anything>
>  openwrt@bender:~$
>  openwrt@bender:~$ logout
>  openwrt@bender:~$ logout
>  bender:/etc/pam.d# grep openwrt /etc/passwd /etc/shadow 
>  /etc/passwd:openwrt:x:501:501:openwrt compiler:/usr/local/src/openwrt:/bin/bash
>  /etc/shadow:openwrt:!!:13529::::::
> 
> I've installed this update yesterday in the evening and today
> there were already rootkits and irc bots everywhere :)
> 
Well it is not just you. And I am ashamed I didn't catch this problem
when reviewing changes in new upstream version. :( It won't allow anyone
to any account but only accounts with only two characters in passwd
field - like !! and similar. It is very serious anyway.
Should be fixed in pam-0.99.7.0-2.fc7.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux