On Mon, 2007-01-22 at 07:21 +0100, Bernardo Innocenti wrote: > On Saturday 20 January 2007 12:27, buildsys@xxxxxxxxxx wrote: > > > pam-0.99.7.0-1.fc7 > > ------------------ > > * Fri Jan 19 2007 Tomas Mraz <tmraz@xxxxxxxxxx> 0.99.7.0-1 > > - upgrade to new upstream version > > - drop pam_stack module as it is obsolete > > - some changes to silence rpmlint > > Is it just me or after this update anybody and his dog can > login without typing a valid password in any account? > > See: > > bernie@bender:~$ su - openwrt > Password: <type anything> > openwrt@bender:~$ > openwrt@bender:~$ logout > openwrt@bender:~$ logout > bender:/etc/pam.d# grep openwrt /etc/passwd /etc/shadow > /etc/passwd:openwrt:x:501:501:openwrt compiler:/usr/local/src/openwrt:/bin/bash > /etc/shadow:openwrt:!!:13529:::::: > > I've installed this update yesterday in the evening and today > there were already rootkits and irc bots everywhere :) > Well it is not just you. And I am ashamed I didn't catch this problem when reviewing changes in new upstream version. :( It won't allow anyone to any account but only accounts with only two characters in passwd field - like !! and similar. It is very serious anyway. Should be fixed in pam-0.99.7.0-2.fc7. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list