Bug 9176 - passwd fails to change empty passwd field, misreports
passwd fails to change empty passwd field, misreports
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: passwd (Show other bugs)
6.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-02-07 07:49 EST by Grant Basham
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-01-27 18:41:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Grant Basham 2000-02-07 07:49:05 EST
This is similar to bug report 6599

I run a script to install users on multiple RedHat linux and other machines
at my site.  I do not use Shadow or MD5.  I run YP modified to handle a
passwd database not at the standard path location.

I create a passwd database entry with an empty passwd field and write it to
the normal database.  I run 'passwd' to add a password for the user and
the 'passwd' program reports that the passwd is properly updated.  On
inspection, there is no change in the passwd database.

The password record in the passwd database is then distributed to a number
of systems where our users get accounts.  Some of these accounts are not on
Linux nodes and will allow login to an account with an empty passwd field.
Because of this bug (and my poor checking) I ran some accounts for several
days where no-passwrd access was allowed to an account that was supposed to
be passwd protected.  This bug in passwd is a change from 6.0, explicitly
misreports what has happened, and can have security implications in a
working computer environment.  I consider it a severe error.
Comment 1 Cristian Gafton 2000-05-22 11:36:59 EDT
assigned to nalin
Comment 2 Stephen John Smoogen 2003-01-24 18:48:55 EST
Please check to see if this bug has been fixed in the latest releases (Red Hat
Linux 7.3 or 8.0). There have been several changes to the code that could have
hiddenly fixed it.
Comment 3 Stephen John Smoogen 2003-01-27 18:41:12 EST
Bug has been listed as closed for several releases.

Note You need to log in before you can comment on or make changes to this bug.