Bug 647143 - If console login, username with about 100 chars are not prompted for a passwd
Summary: If console login, username with about 100 chars are not prompted for a passwd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mingetty
Version: 14
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Petr Pisar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-27 11:17 UTC by Joachim Backes
Modified: 2011-01-11 07:11 UTC (History)
3 users (show)

Fixed In Version: mingetty-1.08-6.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 651955 (view as bug list)
Environment:
Last Closed: 2010-11-23 21:54:48 UTC
Type: ---


Attachments (Terms of Use)

Description Joachim Backes 2010-10-27 11:17:28 UTC
Description of problem:
Boot in some level, for example 3, and goto to some console. Enter about 100 (same) chars for the username (I did not check with fewer). After having pressed "enter", no password is requested, but after some secs, the system presents again the login dialog on that console (as there would be a wrong passwd).

The usage of the "login" command shows a different (correct) effect: The password is each time requested, independent from the length of the username.

Version-Release number of selected component (if applicable):
upstart-sysvinit-0.6.5-9.fc14.i686

How reproducible:
always

Steps to Reproduce:
1.Goto some console window
2.Enter 100 "m" chars for the username
3.press enter
  
Actual results:
no password is prompted for, but a new userid

Expected results:
System requests password

Additional info:
Different behaviour of the "login" command

Comment 1 Petr Pisar 2010-10-27 13:11:54 UTC
(1) Mingetty limits login name to 39 characters. If user supplies longer one, error is reported to syslog, no error message is printed on TTY (security concerns), and mingetty terminates after 5 seconds.

If you think user should be informed about exceeding length, we can start to talk about modifying current code.

(2) From point of view of mingetty, long login name is fatal internal error, thus it cannot continue by executing login (the name would be clamped and user mislead thinking PAM got full login string).

Fatal errors cannot be overcome, this is a feature making your bug report invalid.

Comment 2 Joachim Backes 2010-10-27 13:43:19 UTC
(In reply to comment #1)
> (1) Mingetty limits login name to 39 characters. If user supplies longer one,
> error is reported to syslog, no error message is printed on TTY (security
> concerns), and mingetty terminates after 5 seconds.
> 
> If you think user should be informed about exceeding length, we can start to
> talk about modifying current code.

No need for this.

But is that limit (39 chars) described anywhere? neither "man mingetty" says anything about that limit, nor "/etc/init/start-ttys.conf".

> 
> (2) From point of view of mingetty, long login name is fatal internal error,
> thus it cannot continue by executing login (the name would be clamped and user
> mislead thinking PAM got full login string).

Cutting the name so only the first 39 chars are used could be an option.

> 
> Fatal errors cannot be overcome, this is a feature making your bug report
> invalid.

Comment 3 Petr Pisar 2010-10-27 14:07:59 UTC
The limit is not documented (there are similar limitations to TTY name etc.).

Cutting login name is bad idea as login(1) would get different data than user supplied. I'm strongly against silent mangling.

Comment 4 Petr Pisar 2010-10-27 18:01:57 UTC
POSIX mandates 9 bytes minimal length including trailing '\0' (limits.h:_POSIX_LOGIN_NAME_MAX). Current GNU/Linux run time limit is 256  (getconf LOGIN_NAME_MAX).

I will prepare patch to fulfill the run time limit.

Comment 5 Fedora Update System 2010-11-10 16:52:06 UTC
mingetty-1.08-6.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc14

Comment 6 Fedora Update System 2010-11-10 16:52:23 UTC
mingetty-1.08-6.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc13

Comment 7 Fedora Update System 2010-11-10 16:52:36 UTC
mingetty-1.08-6.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc12

Comment 8 Fedora Admin XMLRPC Client 2010-11-11 15:45:59 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 9 Fedora Update System 2010-11-11 22:15:41 UTC
mingetty-1.08-6.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mingetty'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc12

Comment 10 Fedora Update System 2010-11-23 21:54:42 UTC
mingetty-1.08-6.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2011-01-10 21:29:31 UTC
mingetty-1.08-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Joachim Backes 2011-01-11 07:11:46 UTC
mingetty-1.08-6.fc14 runs as expected. Thank you.


Note You need to log in before you can comment on or make changes to this bug.