The machines that have *not* been patched look like this:
-r-------- 1 root root 14050 Aug 24 15:13 /etc/shadow
-rwsr-xr-x 1 root root 19632 Jul 22 17:35 /sbin/unix_chkpwd
The ones that have look like this:
-r-------- 1 root root 14050 Aug 24 15:13 /etc/shadow
-rwxr-sr-x 1 root shadow 26372 Aug 20 12:24 /sbin/unix_chkpwd
and I see that, as of pam 1.0.1-1:
* The password-changing helper functionality for SELinux systems has been
split out into a separate unix_update binary, so at long last we can
change unix_chkpwd to be sgid shadow instead of suid root.
Closes: #155583.
So, I'm guessing that we need:
-r--r----- 1 root shadow 14050 Aug 24 15:13 /etc/shadow
?
Thanks,
--
Steve Lane
System, Network and Security Administrator
Doudna Lab
Biomolecular Structure and Mechanism Group
UC Berkeley
On Sun, Aug 24, 2008 at 03:04:28PM -0700, Steve Lane wrote:
> On Sun, Aug 24, 2008 at 02:41:37PM -0700, Steve Langasek wrote:
> > severity 496457 normal
> > tags 496457 unreproducible moreinfo
> > thanks
> >
> > On Sun, Aug 24, 2008 at 02:13:53PM -0700, Steve Lane wrote:
> > > Justification: breaks unrelated software
> >
> > False. Software that invokes PAM is not "unrelated".
>
> Sorry, I guess I wasn't clear. The software that breaks is the entire
> machine, since once the screen is locked the (non-admin) user has no
> recourse except to (A) find an admin to kill kdesktop_lock, or (B)
> powercycle the machine.
>
> > > Aug 24 13:22:23 aspen unix_chkpwd[3472]: check pass; user unknown
> > > Aug 24 13:22:23 aspen unix_chkpwd[3472]: password check failed for user
> > > (iamsteve)
> >
> > Please report the permissions from /etc/shadow and /sbin/unix_chkpwd. I
> > suspect you have wrong perms on /etc/shadow.
>
> [EMAIL PROTECTED]> ls -l /etc/shadow /sbin/unix_chkpwd
> 16 -r-------- 1 root root 14020 Aug 24 14:53 /etc/shadow
> 28 -rwxr-sr-x 1 root shadow 26372 Aug 20 12:24 /sbin/unix_chkpwd*
>
> Note that we have 13 workstations with this identical config, all but
> two of which have been patched in the last two days. All of the ones
> which have been patched are broken in this way; the two that have not
> been patched are not. I am thus wondering if something changed with
> the last libpam patch..?
>
> Please be aware that this bug has been cross-posted to bugs #496455 and
> #496456 as well as this one (#496457).
>
> Thanks much,
>
> --
> Steve Lane
> System, Network and Security Administrator
> Doudna Lab
> Biomolecular Structure and Mechanism Group
> UC Berkeley
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
