Bug 732191 - privileged operations don't work because user "monkeysphere" has /sbin/nologin as shell
Summary: privileged operations don't work because user "monkeysphere" has /sbin/nologi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: monkeysphere
Version: 17
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Patrick Uiterwijk
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-20 14:10 UTC by Sascha Silbe
Modified: 2012-07-27 09:54 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-27 09:54:06 UTC


Attachments (Terms of Use)

Description Sascha Silbe 2011-08-20 14:10:15 UTC
User-Agent:       w3m/0.5.2+cvs-1.1039

When trying to set up monkeysphere, it fails with an error:

[silbe@bs-f14-i386 ~]$ sudo monkeysphere-authentication add-identity-certifier 691BE3B4E1F06FCAF855B0F0E3F7D14E34440BEC
ms: setting up Monkeysphere authentication trust core...
This account is currently not available.
[silbe@bs-f14-i386 ~]$

Monkeysphere uses "su monkeysphere -c <command>" (see su_monkeysphere_user() in
/usr/share/monkeysphere/common). This fails because the user "monkeysphere" has
been created with /sbin/nologin as shell:

[silbe@bs-f14-i386 ~]$ grep monkeysphere /etc/passwd
monkeysphere:x:498:497:Monkeysphere authentication user:/var/lib/monkeysphere:/sbin/nologin

One option would be to set /bin/sh as shell. Another would be to replace the
use of "su" with "sudo". The latter doesn't use the login shell:

[root@bs-f14-i386 ~]# sudo -u monkeysphere echo foo
foo
[root@bs-f14-i386 ~]#



Reproducible: Always

Steps to Reproduce:
1. sudo monkeysphere-authentication add-identity-certifier 691BE3B4E1F06FCAF855B0F0E3F7D14E34440BEC

Actual Results:  
ms: setting up Monkeysphere authentication trust core...
This account is currently not available.



Expected Results:  
Add 691BE3B4E1F06FCAF855B0F0E3F7D14E34440BEC as an identity verifier.

Comment 1 Jeffrey C. Ollie 2011-10-14 16:36:53 UTC
I'm seeing this as well...  I changed the shell to bash to work around this:

usermod -s /bin/bash monkeysphere

I'm not sure what the long-term security implications are though.

Comment 2 Bernie Innocenti 2011-10-14 23:51:41 UTC
I apologize for not responding earlier. I've not been using Fedora very much lately. If someone would like to take over the maintenance of the monkeysphere package, I'll orphan it in pkgdb.

Comment 3 Patrick Uiterwijk 2012-07-12 07:53:00 UTC
I have just taken over this package from orphaned state, and will be looking into this bug, and fixing it, soon.

Comment 4 Patrick Uiterwijk 2012-07-18 11:44:22 UTC
The fix for this bug should be landing in updates-testing soon.

Comment 5 Fedora Update System 2012-07-18 11:59:21 UTC
monkeysphere-0.35-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/monkeysphere-0.35-5.fc16

Comment 6 Fedora Update System 2012-07-18 11:59:38 UTC
monkeysphere-0.35-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/monkeysphere-0.35-5.fc17

Comment 7 Fedora Update System 2012-07-19 08:59:23 UTC
Package monkeysphere-0.35-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing monkeysphere-0.35-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10773/monkeysphere-0.35-5.fc16
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-07-27 09:54:06 UTC
monkeysphere-0.35-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2012-07-27 09:54:46 UTC
monkeysphere-0.35-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.