Bug 67408
Summary: | 'su -' fails on expired passwords -- even as root on system-accounts | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Enrico Scholz <rh-bugzilla> |
Component: | shadow-utils | Assignee: | Eido Inoue <havill> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 8.0 | CC: | nalin |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-10-27 19:22:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Enrico Scholz
2002-06-24 16:58:52 UTC
What does your /etc/pam.d/su say? ---- /etc/pam.d/su #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so ---- /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow nis password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so Looking into it right now. Read ya, Phil OK, it's quite clearly a pam problem, so i'm reassigning it. The module pam_unix_acct doesn't handle aging of accounts with empty passwords as one would intuitively think it should. Read ya, Phil I'm reassigning this bug to the actual owner of PAM. Have been in discussion with him and proposed a solution but let him take care of it. Read ya, Phil The pam_unix module can't know whether an account has an empty (or rather, a locked) password because it's a system account or because the user legitimately has no password. It seems to me that we shouldn't be using aging when we create system accounts, which should be the case in shadow-utils-20000902-11 and later. I do not think that this is a shadow-utils issue only because a changed shadow-utils affects newly created accounts only. Existing RH 6 or 7 systems may have dozens of expired system-accounts and there should be exists a way to use them after an upgrade also. Perhaps adding | account sufficient /lib/security/pam_rootok.so to /etc/pam.d/su and extending pam_rootok.so might be a better solution? Reopening this to address issues expressed in the last post. enrico: this isn't really a new problem in Milan, is it? Mmmh, I saw the broken reboot after upgrading pam/sh-utils so I thought it was introduced in the beta. After your question I tried it on RH 7.3 and it happens there also. Probably the upgrade happened when the accounts expired so it is really an old problem. |