Bug 732191

Summary: privileged operations don't work because user "monkeysphere" has /sbin/nologin as shell
Product: [Fedora] Fedora Reporter: Sascha Silbe <sascha-web-bugzilla.redhat.com>
Component: monkeysphereAssignee: Patrick Uiterwijk <puiterwijk>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: bernie+fedora, jeff, puiterwijk
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-27 09:54:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sascha Silbe 2011-08-20 14:10:15 UTC 
User-Agent:       w3m/0.5.2+cvs-1.1039

When trying to set up monkeysphere, it fails with an error:

[silbe@bs-f14-i386 ~]$ sudo monkeysphere-authentication add-identity-certifier 691BE3B4E1F06FCAF855B0F0E3F7D14E34440BEC
ms: setting up Monkeysphere authentication trust core...
This account is currently not available.
[silbe@bs-f14-i386 ~]$

Monkeysphere uses "su monkeysphere -c <command>" (see su_monkeysphere_user() in
/usr/share/monkeysphere/common). This fails because the user "monkeysphere" has
been created with /sbin/nologin as shell:

[silbe@bs-f14-i386 ~]$ grep monkeysphere /etc/passwd
monkeysphere:x:498:497:Monkeysphere authentication user:/var/lib/monkeysphere:/sbin/nologin

One option would be to set /bin/sh as shell. Another would be to replace the
use of "su" with "sudo". The latter doesn't use the login shell:

[root@bs-f14-i386 ~]# sudo -u monkeysphere echo foo
foo
[root@bs-f14-i386 ~]#



Reproducible: Always

Steps to Reproduce:
1. sudo monkeysphere-authentication add-identity-certifier 691BE3B4E1F06FCAF855B0F0E3F7D14E34440BEC

Actual Results:  
ms: setting up Monkeysphere authentication trust core...
This account is currently not available.



Expected Results:  
Add 691BE3B4E1F06FCAF855B0F0E3F7D14E34440BEC as an identity verifier.
Comment 1 Jeffrey C. Ollie 2011-10-14 16:36:53 UTC 
I'm seeing this as well...  I changed the shell to bash to work around this:

usermod -s /bin/bash monkeysphere

I'm not sure what the long-term security implications are though.
Comment 2 Bernie Innocenti 2011-10-14 23:51:41 UTC 
I apologize for not responding earlier. I've not been using Fedora very much lately. If someone would like to take over the maintenance of the monkeysphere package, I'll orphan it in pkgdb.
Comment 3 Patrick Uiterwijk 2012-07-12 07:53:00 UTC 
I have just taken over this package from orphaned state, and will be looking into this bug, and fixing it, soon.
Comment 4 Patrick Uiterwijk 2012-07-18 11:44:22 UTC 
The fix for this bug should be landing in updates-testing soon.
Comment 5 Fedora Update System 2012-07-18 11:59:21 UTC 
monkeysphere-0.35-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/monkeysphere-0.35-5.fc16
Comment 6 Fedora Update System 2012-07-18 11:59:38 UTC 
monkeysphere-0.35-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/monkeysphere-0.35-5.fc17
Comment 7 Fedora Update System 2012-07-19 08:59:23 UTC 
Package monkeysphere-0.35-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing monkeysphere-0.35-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10773/monkeysphere-0.35-5.fc16
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2012-07-27 09:54:06 UTC 
monkeysphere-0.35-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-07-27 09:54:46 UTC 
monkeysphere-0.35-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.