rawhide report: 20070120 changes
Bernardo Innocenti
bernie at develer.com
Mon Jan 22 06:21:22 UTC 2007
On Saturday 20 January 2007 12:27, buildsys at redhat.com wrote:
> pam-0.99.7.0-1.fc7
> ------------------
> * Fri Jan 19 2007 Tomas Mraz <tmraz at redhat.com> 0.99.7.0-1
> - upgrade to new upstream version
> - drop pam_stack module as it is obsolete
> - some changes to silence rpmlint
Is it just me or after this update anybody and his dog can
login without typing a valid password in any account?
See:
bernie at bender:~$ su - openwrt
Password: <type anything>
openwrt at bender:~$
openwrt at bender:~$ logout
openwrt at bender:~$ logout
bender:/etc/pam.d# grep openwrt /etc/passwd /etc/shadow
/etc/passwd:openwrt:x:501:501:openwrt compiler:/usr/local/src/openwrt:/bin/bash
/etc/shadow:openwrt:!!:13529::::::
I've installed this update yesterday in the evening and today
there were already rootkits and irc bots everywhere :)
My /etc/pam.d/system-auth looks sane to me:
---cut---
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
---cut---
--
// Bernardo Innocenti
\X/ bernie at codewiz.org
More information about the fedora-devel-list
mailing list