rawhide report: 20070120 changes

Bernardo Innocenti bernie at develer.com
Mon Jan 22 06:21:22 UTC 2007

On Saturday 20 January 2007 12:27, buildsys at redhat.com wrote:

> pam-
> ------------------
> * Fri Jan 19 2007 Tomas Mraz <tmraz at redhat.com>
> - upgrade to new upstream version
> - drop pam_stack module as it is obsolete
> - some changes to silence rpmlint

Is it just me or after this update anybody and his dog can
login without typing a valid password in any account?


 bernie at bender:~$ su - openwrt
 Password: <type anything>
 openwrt at bender:~$
 openwrt at bender:~$ logout
 openwrt at bender:~$ logout
 bender:/etc/pam.d# grep openwrt /etc/passwd /etc/shadow 
 /etc/passwd:openwrt:x:501:501:openwrt compiler:/usr/local/src/openwrt:/bin/bash

I've installed this update yesterday in the evening and today
there were already rootkits and irc bots everywhere :)

My /etc/pam.d/system-auth looks sane to me:

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

   // Bernardo Innocenti
 \X/  bernie at codewiz.org

More information about the fedora-devel-list mailing list