Public bug reported:

Ubuntu release
==============

Description:    Ubuntu 16.04.1 LTS
Release:        16.04

Package version
===============

According to `apt-file search /etc/pam.d/chsh`, package `passwd` owns
that file.

passwd:
  Installed: 1:4.2-3.1ubuntu5
  Candidate: 1:4.2-3.1ubuntu5
  Version table:
 *** 1:4.2-3.1ubuntu5 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

What you expected to happen
===========================

The following should mess up root's default shell and then fix it to use
`bash`:

    sudo chsh -s /bin/nonexistent
    sudo chsh -s /bin/bash

What happened instead
=====================

PAM blocks what should be a simple fix:

    $ sudo chsh -s /bin/nonexistent
    chsh: Warning: /bin/nonexistent does not exist
    $ sudo chsh -s /bin/bash
    Password:
    chsh: PAM: Authentication failure

Note especially that the password prompt above isn't the standard `sudo`
password prompt. `sudo` has already been recently given a password, so
it didn't ask again.

    $ SHELL=/bin/bash sudo --shell
    # chsh -s /bin/bash
    Password:
    chsh: PAM: Authentication failure

This happens even though the `root` account is disabled and thus has no
password. Even setting a password for `root` and using that password
doesn't work, so it's apparently not asking for the `root` password.

Workaround
==========

1. Edit `/etc/pam.d/chsh`
2. Comment out the line `auth       required   pam_shells.so`
3. Run `sudo chsh -s /bin/bash`
4. Edit `/etc/pam.d/chsh`
5. Uncomment the line `auth       required   pam_shells.so`

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: passwd 1:4.2-3.1ubuntu5
ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24
Uname: Linux 4.4.0-47-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Nov 11 14:42:57 2016
DistributionChannelDescriptor:
 # This is a distribution channel descriptor
 # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
 canonical-oem-somerville-xenial-amd64-20160624-2
EcryptfsInUse: Yes
InstallationDate: Installed on 2016-11-01 (10 days ago)
InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 
20160624-10:47
SourcePackage: shadow
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: shadow (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1641213

Title:
  PAM blocks fixing `chsh`ing root to a nonexistent shell

Status in shadow package in Ubuntu:
  New

Bug description:
  Ubuntu release
  ==============

  Description:  Ubuntu 16.04.1 LTS
  Release:      16.04

  Package version
  ===============

  According to `apt-file search /etc/pam.d/chsh`, package `passwd` owns
  that file.

  passwd:
    Installed: 1:4.2-3.1ubuntu5
    Candidate: 1:4.2-3.1ubuntu5
    Version table:
   *** 1:4.2-3.1ubuntu5 500
          500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status

  What you expected to happen
  ===========================

  The following should mess up root's default shell and then fix it to
  use `bash`:

      sudo chsh -s /bin/nonexistent
      sudo chsh -s /bin/bash

  What happened instead
  =====================

  PAM blocks what should be a simple fix:

      $ sudo chsh -s /bin/nonexistent
      chsh: Warning: /bin/nonexistent does not exist
      $ sudo chsh -s /bin/bash
      Password:
      chsh: PAM: Authentication failure

  Note especially that the password prompt above isn't the standard
  `sudo` password prompt. `sudo` has already been recently given a
  password, so it didn't ask again.

      $ SHELL=/bin/bash sudo --shell
      # chsh -s /bin/bash
      Password:
      chsh: PAM: Authentication failure

  This happens even though the `root` account is disabled and thus has
  no password. Even setting a password for `root` and using that
  password doesn't work, so it's apparently not asking for the `root`
  password.

  Workaround
  ==========

  1. Edit `/etc/pam.d/chsh`
  2. Comment out the line `auth       required   pam_shells.so`
  3. Run `sudo chsh -s /bin/bash`
  4. Edit `/etc/pam.d/chsh`
  5. Uncomment the line `auth       required   pam_shells.so`

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: passwd 1:4.2-3.1ubuntu5
  ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24
  Uname: Linux 4.4.0-47-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri Nov 11 14:42:57 2016
  DistributionChannelDescriptor:
   # This is a distribution channel descriptor
   # For more information see 
http://wiki.ubuntu.com/DistributionChannelDescriptor
   canonical-oem-somerville-xenial-amd64-20160624-2
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2016-11-01 (10 days ago)
  InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 
20160624-10:47
  SourcePackage: shadow
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1641213/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to