Bug 1686436

Summary:	passwd -S report is incorrect when the user's /etc/passwd entry does not contain 'x' in the password hash field
Product:	Red Hat Enterprise Linux 7	Reporter:	amitkuma
Component:	passwd	Assignee:	Jiri Kucera <jkucera>
Status:	CLOSED ERRATA	QA Contact:	David Jež <djez>
Severity:	high	Docs Contact:
Priority:	high
Version:	7.6	CC:	amitkuma, daniele, djez, jkucera, ovasik, tmraz
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	passwd-0.79-6.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1740168 (view as bug list)		Environment:
Last Closed:	2020-03-31 19:45:42 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1716965, 1740168

Description amitkuma 2019-03-07 13:08:39 UTC

Description of problem:


Removed 'x' for user 'test2' from /etc/passwd, but nothing changed in /etc/shadow.

Issue: 
- When trying to change password of 'test2' it asks to enter new password. Though this will not be used.
- 'su - test2' directly logs in without asking password, It looks 'su -' utility only looks for 'x' in /etc/passwd and does not look for string inside '/etc/shadow'

////Reproducer////
1. user test2 does not have 'x' field in /etc/passwd
# cat /etc/passwd|grep test2
test2::1001:1001::/home/test2:/bin/bash
# 

2. But password-string is present in shadow
# cat /etc/shadow|grep test2
test2:$6$cELtwRPK$s7OZEKzuI3KRE5fh5iaBi1lEwUVqKC5TqDXVc0qqDpyEeAW1dHLNUhEhHc5NUg7GXVI9nm7Qs/E7k7e6q/tqQ0:17962:0:99999:7:::
# 

3. Login using 'su -' does not asks for password.       //Correct
# su - test1
Last login: Thu Mar  7 06:28:53 EST 2019 on pts/0
[test1@rhel7u6-1 ~]$ su - test2
Last login: Thu Mar  7 06:28:58 EST 2019 on pts/0
[test2@rhel7u6-1 ~]$ 

4. But, while trying to change password of test2, it asks to enter new password. This password will never be used    //Inconsistent
# passwd test2
Changing password for user test2.
New password: 


Expectation:
- passwd should either read both '/etc/passwd' and /etc/shadow and provide meaningful information. Either:
 a. 'x' entry is not present in /etc/passwd. Password change will not have effect
 OR
 b. Please remove string from /etc/shadow, 'x' is not present in /etc/passwd
 OR
 c. Password setting will not have effect since 'x' is not present in /etc/passwd. Consult "man 5 passwd" etc


Version-Release number of selected component (if applicable):
passwd-0.79-4.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
- Relevant information should be provided by passwd

Additional info:

Comment 2 Daniele Palumbo 2019-03-07 14:45:33 UTC

Hi,

Let me add,
passwd(1)
"""
-S
    This will output a short information about the status of the password for a given account. Available to root user only.
"""
We expect therefore that also -S argument will provide relevant information of lack of password.

test ~ # grep ^root /etc/passwd
root::0:0:root:/root:/bin/bash
test ~ # passwd -S root
root PS 2017-12-09 0 99999 7 -1 (Password set, SHA512 crypt.)
usgnutl6fk5 ~ # chage -l root
Last password change                                    : Dec 09, 2017
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
test ~ #

Comment 3 amitkuma 2019-03-08 03:44:14 UTC

@Tomas @Jiri Kucera would it be possible to set up a call with Customer [daniele]?
Customer's timezone is {Europe/Paris}

Comment 4 Tomas Mraz 2019-03-08 10:38:33 UTC

This is a real bug in passwd as passwd -S should print correct information and not false one.

Also the password setting as in the item 4 in the description not having effect is a real bug in PAM and should be fixed. Amit, please open a new bug against PAM as PAM is the culprit here.

Comment 8 amitkuma 2019-03-18 09:59:48 UTC

Dear Tomas,
||3. passwd -S shows incorrect information - this is bug, should be fixed - we can use this bz report for that fix
As you stated I would not be opening bug for 'passwd -S'

Comment 9 Tomas Mraz 2019-03-18 11:07:46 UTC

Yes, I think this bug can be used for the passwd -S issue.

Comment 10 amitkuma 2019-03-22 09:37:02 UTC

dear tomas,
do you require any information from me?

Comment 11 Tomas Mraz 2019-03-22 10:12:40 UTC

No, I do not. Please note I am not the maintainer of passwd. It is now on Jiri.

Comment 15 amitkuma 2019-08-09 08:03:40 UTC

Hello,
Any updates here?

Comment 16 Jiri Kucera 2019-08-12 08:38:56 UTC

Fixed in passwd-0.79-6.el7.

Comment 17 amitkuma 2019-08-12 09:12:37 UTC

Hello,
What about RHBA of this particular bug in RHEL-8?
a. Do we need to clone this bugzilla for RHEL-8.

Comment 18 Jiri Kucera 2019-08-12 12:08:44 UTC

Hello,

thanks for the idea. I cloned this bugzilla for RHEL-8 (bz#1740168) and also filed bugzilla for Fedora (bz#1740166).

Comment 22 errata-xmlrpc 2020-03-31 19:45:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1058