Bug 647143

Summary:	If console login, username with about 100 chars are not prompted for a passwd
Product:	[Fedora] Fedora	Reporter:	Joachim Backes <joachim.backes>
Component:	mingetty	Assignee:	Petr Pisar <ppisar>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	14	CC:	notting, plautrba, ppisar
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	mingetty-1.08-6.fc13	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	651955 (view as bug list)		Environment:
Last Closed:	2010-11-23 21:54:48 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Joachim Backes 2010-10-27 11:17:28 UTC

Description of problem:
Boot in some level, for example 3, and goto to some console. Enter about 100 (same) chars for the username (I did not check with fewer). After having pressed "enter", no password is requested, but after some secs, the system presents again the login dialog on that console (as there would be a wrong passwd).

The usage of the "login" command shows a different (correct) effect: The password is each time requested, independent from the length of the username.

Version-Release number of selected component (if applicable):
upstart-sysvinit-0.6.5-9.fc14.i686

How reproducible:
always

Steps to Reproduce:
1.Goto some console window
2.Enter 100 "m" chars for the username
3.press enter
  
Actual results:
no password is prompted for, but a new userid

Expected results:
System requests password

Additional info:
Different behaviour of the "login" command

Comment 1 Petr Pisar 2010-10-27 13:11:54 UTC

(1) Mingetty limits login name to 39 characters. If user supplies longer one, error is reported to syslog, no error message is printed on TTY (security concerns), and mingetty terminates after 5 seconds.

If you think user should be informed about exceeding length, we can start to talk about modifying current code.

(2) From point of view of mingetty, long login name is fatal internal error, thus it cannot continue by executing login (the name would be clamped and user mislead thinking PAM got full login string).

Fatal errors cannot be overcome, this is a feature making your bug report invalid.

Comment 2 Joachim Backes 2010-10-27 13:43:19 UTC

(In reply to comment #1)
> (1) Mingetty limits login name to 39 characters. If user supplies longer one,
> error is reported to syslog, no error message is printed on TTY (security
> concerns), and mingetty terminates after 5 seconds.
> 
> If you think user should be informed about exceeding length, we can start to
> talk about modifying current code.

No need for this.

But is that limit (39 chars) described anywhere? neither "man mingetty" says anything about that limit, nor "/etc/init/start-ttys.conf".

> 
> (2) From point of view of mingetty, long login name is fatal internal error,
> thus it cannot continue by executing login (the name would be clamped and user
> mislead thinking PAM got full login string).

Cutting the name so only the first 39 chars are used could be an option.

> 
> Fatal errors cannot be overcome, this is a feature making your bug report
> invalid.

Comment 3 Petr Pisar 2010-10-27 14:07:59 UTC

The limit is not documented (there are similar limitations to TTY name etc.).

Cutting login name is bad idea as login(1) would get different data than user supplied. I'm strongly against silent mangling.

Comment 4 Petr Pisar 2010-10-27 18:01:57 UTC

POSIX mandates 9 bytes minimal length including trailing '\0' (limits.h:_POSIX_LOGIN_NAME_MAX). Current GNU/Linux run time limit is 256  (getconf LOGIN_NAME_MAX).

I will prepare patch to fulfill the run time limit.

Comment 5 Fedora Update System 2010-11-10 16:52:06 UTC

mingetty-1.08-6.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc14

Comment 6 Fedora Update System 2010-11-10 16:52:23 UTC

mingetty-1.08-6.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc13

Comment 7 Fedora Update System 2010-11-10 16:52:36 UTC

mingetty-1.08-6.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc12

Comment 8 Fedora Admin XMLRPC Client 2010-11-11 15:45:59 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 9 Fedora Update System 2010-11-11 22:15:41 UTC

mingetty-1.08-6.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mingetty'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc12

Comment 10 Fedora Update System 2010-11-23 21:54:42 UTC

mingetty-1.08-6.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2011-01-10 21:29:31 UTC

mingetty-1.08-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Joachim Backes 2011-01-11 07:11:46 UTC

mingetty-1.08-6.fc14 runs as expected. Thank you.