On Mon, 2007-01-22 at 07:21 +0100, Bernardo Innocenti wrote:
> On Saturday 20 January 2007 12:27, buildsys@xxxxxxxxxx wrote:
>
> > pam-0.99.7.0-1.fc7
> > ------------------
> > * Fri Jan 19 2007 Tomas Mraz <tmraz@xxxxxxxxxx> 0.99.7.0-1
> > - upgrade to new upstream version
> > - drop pam_stack module as it is obsolete
> > - some changes to silence rpmlint
>
> Is it just me or after this update anybody and his dog can
> login without typing a valid password in any account?
>
> See:
>
> bernie@bender:~$ su - openwrt
> Password: <type anything>
> openwrt@bender:~$
> openwrt@bender:~$ logout
> openwrt@bender:~$ logout
> bender:/etc/pam.d# grep openwrt /etc/passwd /etc/shadow
> /etc/passwd:openwrt:x:501:501:openwrt compiler:/usr/local/src/openwrt:/bin/bash
> /etc/shadow:openwrt:!!:13529::::::
>
> I've installed this update yesterday in the evening and today
> there were already rootkits and irc bots everywhere :)
>
Well it is not just you. And I am ashamed I didn't catch this problem
when reviewing changes in new upstream version. :( It won't allow anyone
to any account but only accounts with only two characters in passwd
field - like !! and similar. It is very serious anyway.
Should be fixed in pam-0.99.7.0-2.fc7.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list