Bug 1292815
Summary: | usermod -p allowing colon (ie. ':' ) in encrypted password which then breaks /etc/shadow | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Mraz <tmraz> |
Component: | shadow-utils | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Stefan Kremen <skremen> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 7.2 | CC: | cww, hartsjc, mmarusic, pkis, qe-baseos-security, skremen |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | shadow-utils-4.1.5.1-19.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 1220504 | Environment: | |
Last Closed: | 2016-11-04 03:41:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1203710, 1296594, 1313485 |
Description
Tomas Mraz
2015-12-18 12:24:59 UTC
I opened the RHEL 6 verstion of the BZ, and included in the Expected results above is that RHEL 7 already warns of this issue. So not sure this BZ is needed for RHEL 7... # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) # grep ^test: /etc/shadow test:$6$iimWa/Hp$h2Vx0aM1WD/Z.khihwBnpRocSLTc8PgVNIwFjRejYpp74JxToLo6IrgaT.1CZDrbw9cYXfLt494aDQsweU6/60:16787:0:99999:7::: # usermod -p 'sstest:123' test usermod: failure while writing changes to /etc/shadow # grep ^test: /etc/shadow test:$6$iimWa/Hp$h2Vx0aM1WD/Z.khihwBnpRocSLTc8PgVNIwFjRejYpp74JxToLo6IrgaT.1CZDrbw9cYXfLt494aDQsweU6/60:16787:0:99999:7::: Now with colon removed on RHEL 7 (so seems the colon is cause of failure): # usermod -p 'sstest123' test # grep ^test: /etc/shadow test:sstest123:16787:0:99999:7::: Hmm, you're right that there is additional check when writing the shadow entry. However the error message is not completely clear so it is better to include the explicit check for ':' which will be in RHEL-6.8. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2322.html |