RE: [FIXED] Re: [BUG?] RE: chmod 444 /etc/shadow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There is a shadow password file for the groups file (/etc/gshadow) as
well as for the password file.  The clue for me was that the password
field in /etc/group is an 'x' just like in the password file.  The
default on my vanilla 8.0 box appears to lock the group password
entries.  So you were being kept out for not having the correct group
password.

When you changed the 'x' to '*' you removed the group shadow lookup.  I
suspect that removing the 'x' and leaving the field empty would have
worked as well.  

I am a little hazy as to why the '*' would work.  That string is
supposed to be impossible to match with the crypt() call which I would
have expected to lock the group also.  

Here is where I got most clues:
http://www.todo.co.nz/howto/Shadow-Password-HOWTO.html#ss7.4

This document says that the gshadow password value should be '!' but on
my system it isn't that way.  I think Redhat has made some custom
changes to the package.  

Hattie Rouge


> -----Original Message-----
> From: pam-list-admin@xxxxxxxxxx 
> [mailto:pam-list-admin@xxxxxxxxxx] On Behalf Of ahoward
> Sent: Tuesday, May 20, 2003 11:12 AM
> To: pam-list@xxxxxxxxxx
> Subject: [FIXED] Re: [BUG?] RE: chmod 444 /etc/shadow
> 
> 
> On Tue, 20 May 2003, ahoward wrote:
> 
> if one changes the entry in /etc/group from
> 
>   shadow:x:4002:root,postgres
> 
> to
> 
>   shadow:*:4002:root,postgres
> 
> it all works.  i have no idea what, or what a '*' password 
> means, but this seems like the ticket.
> 
> -a
> 
> >
> > wtf?
> >
> > anyone got ideas?
> >
> > -a
> >
> >
> > >
> > >
> > > Hattie Rouge
> > >
> > >
> > > > -----Original Message-----
> > > > From: pam-list-admin@xxxxxxxxxx 
> [mailto:pam-list-admin@xxxxxxxxxx] 
> > > > On Behalf Of ahoward
> > > > Sent: Tuesday, May 20, 2003 10:20 AM
> > > > To: pam-list@xxxxxxxxxx
> > > > Subject: RE: chmod 444 /etc/shadow
> > > >
> > > >
> > > > On Mon, 19 May 2003, Hattie Rouge wrote:
> > > >
> > > > > Have you run strace to see what it is doing when it reports
> > > > the error?
> > > >
> > > > yes - wasn't alot of help:
> > > >
> > > > waiting for a connection...
> > > > one came in, sent pasword prompt...
> > > >
> > > >   --- SIGSTOP (Stopped (signal)) ---
> > > >   ) = 1 (in [3], left {251, 760000})
> > > >   rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT 
> > > > SYS], NULL, 8) = 0
> > > >   accept(3, {sin_family=AF_INET, sin_port=htons(53949), 
> > > > sin_addr=inet_addr("137.75.132.144")}}, [16]) = 8
> > > >   getsockname(8, {sin_family=AF_INET, sin_port=htons(5432), 
> > > > sin_addr=inet_addr("137.75.129.65")}}, [16]) = 0
> > > >   setsockopt(8, SOL_TCP, TCP_NODELAY, [1], 4) = 0
> > > >   setsockopt(8, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
> > > >   fork()                                  = 11197
> > > >   close(8)                                = 0
> > > >   time(NULL)                              = 1053450868
> > > >   rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > > >   select(5, [3 4], [], NULL, {246, 0})    = ? ERESTARTNOHAND
> > > > (To be restarted)
> > > >   --- SIGCHLD (Child exited) ---
> > > >
> > > >
> > > > this after password has been sent, strange that it 
> doesn't seem to 
> > > > do much?
> > > >
> > > >   rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT 
> > > > SYS], NULL, 8) = 0
> > > >   wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 0], WNOHANG,
> > > > NULL) = 11197
> > > >   send(5, "\2\0\0\0\30\0\0\0\0\0\0\0\275+\0\0\0\0\0\0\0\0\0\0", 
> > > > 24, 0) = 24
> > > >   wait4(-1, 0xbffff06c, WNOHANG, NULL)    = 0
> > > >   rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > > >   sigreturn()                             = ? (mask now [])
> > > >   rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT 
> > > > SYS], NULL, 8) = 0
> > > >   time(NULL)                              = 1053450868
> > > >   rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > > >   select(5, [3 4], [], NULL, {246, 0})    = 1 (in [3], left
> > > > {233, 800000})
> > > >   rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT 
> > > > SYS], NULL, 8) = 0
> > > >   accept(3, {sin_family=AF_INET, sin_port=htons(53950), 
> > > > sin_addr=inet_addr("137.75.132.144")}}, [16]) = 8
> > > >   getsockname(8, {sin_family=AF_INET, sin_port=htons(5432), 
> > > > sin_addr=inet_addr("137.75.129.65")}}, [16]) = 0
> > > >   setsockopt(8, SOL_TCP, TCP_NODELAY, [1], 4) = 0
> > > >   setsockopt(8, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
> > > >   fork()                                  = 11198
> > > >   close(8)                                = 0
> > > >   time(NULL)                              = 1053450880
> > > >   rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > > >   select(5, [3 4], [], NULL, {234, 0})    = ? ERESTARTNOHAND
> > > > (To be restarted)
> > > >   --- SIGCHLD (Child exited) ---
> > > >
> > > > waiting for another connection...
> > > >
> > > >   rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT 
> > > > SYS], NULL, 8) = 0
> > > >   wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 0], WNOHANG,
> > > > NULL) = 11198
> > > >   send(5, "\2\0\0\0\30\0\0\0\0\0\0\0\276+\0\0\0\0\0\0\0\0\0\0", 
> > > > 24, 0) = 24
> > > >   wait4(-1, 0xbffff06c, WNOHANG, NULL)    = 0
> > > >   rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > > >   sigreturn()                             = ? (mask now [])
> > > >   rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP ABRT BUS FPE SEGV CONT 
> > > > SYS], NULL, 8) = 0
> > > >   time(NULL)                              = 1053450883
> > > >   rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > > >   select(5, [3 4], [], NULL, {231, 0}
> > > >
> > > > -a
> > > >
> > > > --
> > > >   ====================================
> > > >   | Ara Howard
> > > >   | NOAA Forecast Systems Laboratory
> > > >   | Information and Technology Services
> > > >   | Data Systems Group
> > > >   | R/FST 325 Broadway
> > > >   | Boulder, CO 80305-3328
> > > >   | Email: ara.t.howard@xxxxxxxxxxxx
> > > >   | Phone:  303-497-7238
> > > >   | Fax:    303-497-7259
> > > >   ====================================
> > > >
> > > >
> > > > _______________________________________________
> > > > 
> > > > Pam-list@xxxxxxxxxx 
> > > > https://www.redhat.com/mailman/listinfo/pam-list
> > > >
> > >
> > >
> > > _______________________________________________
> > > 
> > > Pam-list@xxxxxxxxxx 
> https://www.redhat.com/mailman/listinfo/pam-> list
> > >
> >
> > --
> > 
>   ====================================
> >   
> | Ara Howard
> >   | NOAA Forecast Systems Laboratory
> >   | Information and Technology Services
> >   | Data Systems Group
> >   | R/FST 325 Broadway
> >   | Boulder, CO 80305-3328
> >   | Email: ara.t.howard@xxxxxxxxxxxx
> >   | Phone:  303-497-7238
> >   | Fax:    303-497-7259
> >   ====================================
> >
> >
> > _______________________________________________
> > 
> > Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
> >
> 
> --
>   ====================================
>   | Ara Howard
>   | NOAA Forecast Systems Laboratory
>   | Information and Technology Services
>   | Data Systems Group
>   | R/FST 325 Broadway
>   | Boulder, CO 80305-3328
>   | Email: ara.t.howard@xxxxxxxxxxxx
>   | Phone:  303-497-7238
>   | Fax:    303-497-7259
>   ====================================
> 
> 
> _______________________________________________
> 
> Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
> 


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux