Bug 54519 - login with no password allowed for administrative users with bang or star in shadow
Summary: login with no password allowed for administrative users with bang or star in ...
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: pam   
(Show other bugs)
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-10-10 21:29 UTC by Bernie Innocenti
Modified: 2007-03-27 03:49 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-10-14 22:50:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Bernie Innocenti 2001-10-10 21:29:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)

Description of problem:
After upgrading to pam-0.75-12 it's possible to log into the
system with any admistrative account such as uucp or operator,
provided they have a valid login shell and despite the
presence of a star (*) or double bang (!!) in their
/etc/shadow password field.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. It works from the console and also with su
   (not with ssh because empty passwords are
   disallowed by default)
2. If password is requested, just hit enter
3. On some setups, the system users might have an
   expired password and login will ask to change the
   password before proceeding.

Actual Results:  Any unauthorized user can (remotely) log into the 
machine with
unusually high privileges (not root's, but almost as dangerous).

Expected Results:  The default action for a disabled passwords should be 
to refuse logins. Logins work fine for uses with valid passwords.

Additional info:

Reverting to pam-0.75-4 should fix the problem. I couldn't test it since 
this package is no longer available in the RawHide ftp site and the 
roswell directory is currently unaccessible (permissions 600).
However, I was able to confirm that another system still running 0.75-4 
was not vulnerable and started to behave as described as soon as PAM was 
upgraded to -12.

Comment 1 Bernie Innocenti 2001-10-14 22:50:00 UTC
Please review this report as soon as possible. It's either some
subtle configuration mistake of my own or a very serious issue.
In either case, a system that was previously secure has been
compromised by upgrading a single RPM package, so it shouldn't be

Comment 2 Nalin Dahyabhai 2001-10-31 20:22:47 UTC
This bug was fixed in pam-0.75-14 and later.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.