Debian Bug report logs - #274229
base-passwd sets shell for www-data

version graph

Package: base-passwd; Maintainer for base-passwd is Colin Watson <cjwatson@debian.org>; Source for base-passwd is src:base-passwd.

Reported by: David Cantrell <david@cantrell.org.uk>

Date: Thu, 30 Sep 2004 13:33:02 UTC

Severity: normal

Tags: patch, security

Merged with 330882, 581899

Found in versions 3.5.8, base-passwd/3.5.10, base-passwd/3.5.20, base-passwd/3.5.22

Fixed in version base-passwd/3.5.30

Done: Colin Watson <cjwatson@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#274229; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to David Cantrell <david@cantrell.org.uk>:
New Bug report received and forwarded. Copy sent to Colin Watson <cjwatson@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: David Cantrell <david@cantrell.org.uk>
To: submit@bugs.debian.org
Subject: base-passwd sets shell for www-data
Date: Thu, 30 Sep 2004 14:26:09 +0100
Package: base-passwd
Version: 3.5.8

When upgrading base-passwd, it recommends that user www-data's
shell is changed to /bin/sh.

IMO this represents a security risk.  Special users set up for services
should not have a shell.

-- 
David Cantrell | http://www.cantrell.org.uk/david

One person can change the world, but most of the time they shouldn't
    -- Marge Simpson



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#274229; Package base-passwd. (Thu, 12 Feb 2009 10:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris Carr <rantingman@gmail.com>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. (Thu, 12 Feb 2009 10:51:06 GMT) Full text and rfc822 format available.

Message #10 received at 274229@bugs.debian.org (full text, mbox):

From: Chris Carr <rantingman@gmail.com>
To: Debian Bug Tracking System <274229@bugs.debian.org>
Subject: base-passwd: This bug is now considerably worse in 3.5.20
Date: Thu, 12 Feb 2009 10:46:43 +0000
Package: base-passwd
Version: 3.5.20
Followup-For: Bug #274229


base-passwd now tries to set real shells for all sorts of users who 
should not have them:

----BEGIN PASTE----
Preparing to replace base-passwd 3.5.19 (using 
.../base-passwd_3.5.20_i386.deb) ...
Unpacking replacement base-passwd ...
Processing triggers for man-db ...
Setting up base-passwd (3.5.20) ...

update-passwd has found some differences between your system accounts
and the current Debian defaults. It is advisable to allow update-passwd
to change your system; without those changes some packages might not 
work
correctly.  For more documentation on the Debian account policies please
see /usr/share/doc/base-passwd/README.

The list of proposed changes is:

Changing shell of daemon from /bin/false to /bin/sh
Changing shell of bin from /bin/false to /bin/sh
Changing shell of sys from /bin/false to /bin/sh
Changing shell of games from /bin/false to /bin/sh
Changing shell of man from /bin/false to /bin/sh
Changing shell of lp from /bin/false to /bin/sh
Changing shell of mail from /bin/false to /bin/sh
Changing shell of news from /bin/false to /bin/sh
Changing shell of uucp from /bin/false to /bin/sh
Changing shell of proxy from /bin/false to /bin/sh
Changing shell of www-data from /bin/false to /bin/sh
Changing shell of backup from /bin/false to /bin/sh
Changing shell of list from /bin/false to /bin/sh
Changing shell of irc from /bin/false to /bin/sh
Changing GECOS of gnats from "Gnats Bug-Reporting System " to "Gnats 
Bug-Reporting System (admin)".
Changing shell of gnats from  to /bin/sh
Changing shell of nobody from /bin/false to /bin/sh
Would commit 17 changes

It is highly recommended that you allow update-passwd to make these 
changes (a backup file of modified files is made with the extension .org 
so you can always restore the current settings).

May I update your system? [Y/n] n

Okay, I will not update your system. If you want to make this update 
later please check the update-passwd utility.
----END PASTE----

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages base-passwd depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries

base-passwd recommends no packages.

base-passwd suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#274229; Package base-passwd. (Thu, 12 Feb 2009 11:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. (Thu, 12 Feb 2009 11:09:03 GMT) Full text and rfc822 format available.

Message #15 received at 274229@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Chris Carr <rantingman@gmail.com>, 274229@bugs.debian.org
Subject: Re: Bug#274229: base-passwd: This bug is now considerably worse in 3.5.20
Date: Thu, 12 Feb 2009 11:07:29 +0000
On Thu, Feb 12, 2009 at 10:46:43AM +0000, Chris Carr wrote:
> Package: base-passwd
> Version: 3.5.20
> Followup-For: Bug #274229
> 
> base-passwd now tries to set real shells for all sorts of users who 
> should not have them:

None of this has changed at all for years, as you can verify from
revision control; this bug has not got worse recently. It's only that
(as always) base-passwd nags you about differences on every upgrade
rather than learning to accept the change. This is a bug, but it hasn't
regressed recently.

-- 
Colin Watson                                       [cjwatson@debian.org]




Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#274229; Package base-passwd. (Thu, 12 Feb 2009 11:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Chris Carr" <rantingman@gmail.com>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. (Thu, 12 Feb 2009 11:12:02 GMT) Full text and rfc822 format available.

Message #20 received at 274229@bugs.debian.org (full text, mbox):

From: "Chris Carr" <rantingman@gmail.com>
To: "'Colin Watson'" <cjwatson@debian.org>, <274229@bugs.debian.org>
Subject: RE: Bug#274229: base-passwd: This bug is now considerably worse in3.5.20
Date: Thu, 12 Feb 2009 11:09:05 -0000
> -----Original Message-----
> From: Colin Watson [mailto:cjwatson@debian.org] 
> Sent: 12 February 2009 11:07
> To: Chris Carr; 274229@bugs.debian.org
> Subject: Re: Bug#274229: base-passwd: This bug is now 
> considerably worse in3.5.20
> 
> On Thu, Feb 12, 2009 at 10:46:43AM +0000, Chris Carr wrote:
> > Package: base-passwd
> > Version: 3.5.20
> > Followup-For: Bug #274229
> > 
> > base-passwd now tries to set real shells for all sorts of users who 
> > should not have them:
> 
> None of this has changed at all for years, as you can verify from
> revision control; this bug has not got worse recently. It's only that
> (as always) base-passwd nags you about differences on every upgrade
> rather than learning to accept the change. This is a bug, but 
> it hasn't regressed recently.

My apologies - I meant merely to highlight that the situation is worse than
was previously recorded on the BTS. I did not mean to imply that anything
had changed recently. 

CC





Severity set to 'wishlist' from 'normal' Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Mon, 17 May 2010 10:51:02 GMT) Full text and rfc822 format available.

Forcibly Merged 274229 330882 581899. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Mon, 17 May 2010 10:51:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#274229; Package base-passwd. (Wed, 07 Jul 2010 19:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. (Wed, 07 Jul 2010 19:12:06 GMT) Full text and rfc822 format available.

Message #29 received at 274229@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 274229@bugs.debian.org
Subject: Re: Bug#274229: base-passwd sets shell for www-data
Date: Wed, 07 Jul 2010 12:09:01 -0700
Is there any progress or any ongoing discussion about this set of merged
bugs?

I got asked in a security audit again last month why all of our Debian
systems have /bin/sh as the shell for accounts that should never allow
logins.  I realize that they're disabled in /etc/shadow, but depending on
one's PAM configuration that may or may not be sufficiently effective.

This can be an annoying issue at sites that use an enterprise-wide
authentication system, such as Kerberos, since all of the random users
created by the base passwd file on various different platforms may not be
reserved from use as Kerberos principals.  In combination with a change to
the minimum_uid setting in libpam-krb5 (because one has legacy local UIDs
in the reserved space, for instance), it can be possible to enable shell
logins to these accounts without meaning to.

I realize that the security implications here are obscure and only happen
in combination with other factors, but there's really no reason for all of
these accounts to have /bin/sh shells by default.  The number of cases
when one really wants to su to that account to check something is very
small, and there are various other ways of doing that even if they have
nologin or /bin/false or something similar as a shell.

Could we please change the shells of all of the following users to
/usr/sbin/nologin?

daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

Other distributions have done this and it's generally considered (by
auditors, for example) as an industry best practice and a variance if it's
not done.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#274229; Package base-passwd. (Mon, 22 Nov 2010 00:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stellan Klebom <stellan@klebom.net>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. (Mon, 22 Nov 2010 00:18:02 GMT) Full text and rfc822 format available.

Message #34 received at 274229@bugs.debian.org (full text, mbox):

From: Stellan Klebom <stellan@klebom.net>
To: 274229@bugs.debian.org
Subject: My system got exploited through the daemon system account due to a shell was configured in /etc/passwd
Date: Mon, 22 Nov 2010 01:13:58 +0100
> I got asked in a security audit again last month why all of our Debian
> systems have /bin/sh as the shell for accounts that should never allow
> logins.  I realize that they're disabled in /etc/shadow, but depending on
> one's PAM configuration that may or may not be sufficiently effective.

My debian server was compromised due to the daemon account having a 
valid login shell and having samba open for internet access. The break 
in was made by setting a password remotly via samba for the daemon 
account and the logging in through ssh. Some local root exploit was then 
used to OWN my server...

Stellan





Added tag(s) security. Request was from Piotr Engelking <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 07 May 2011 20:21:03 GMT) Full text and rfc822 format available.

Severity set to 'normal' from 'wishlist' Request was from Nathanael Nerode <neroden@fastmail.fm> to control@bugs.debian.org. (Sun, 08 Jul 2012 16:48:04 GMT) Full text and rfc822 format available.

Added tag(s) patch. Request was from Nathanael Nerode <neroden@fastmail.fm> to control@bugs.debian.org. (Sun, 08 Jul 2012 16:48:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#274229; Package base-passwd. (Fri, 01 Nov 2013 18:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. (Fri, 01 Nov 2013 18:06:05 GMT) Full text and rfc822 format available.

Message #45 received at 274229@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Russ Allbery <rra@debian.org>
Cc: debian-devel@lists.debian.org, Phillip Susi <psusi@ubuntu.com>, 274229@bugs.debian.org
Subject: Re: System accounts with valid shells
Date: Fri, 1 Nov 2013 18:04:11 +0000
severity 184979 important
block 274229 by 184979
thanks

On Fri, Nov 01, 2013 at 09:26:15AM -0700, Russ Allbery wrote:
> Even if the risk is low, I see absolutely no reason why these accounts
> should have valid shells, and therefore don't understand why we wouldn't
> want to just change them to /usr/sbin/nologin.  The local administrator
> has other ways of getting a shell with that account by overriding the
> shell with su, etc., if they really want to interactively be that user.
> 
> Colin, this bug has been dormant for a very long time, and I've previously
> pinged it with no response.  Is that just due to lack of time, or were you
> not sure whether this should change?  Is this something for which you want
> the broader advice of the project or the technical committee?

Sorry for not responding to this before (and CCing the bug now so that
this response is recorded properly).  I would like to fix this.  Of
course it needs due care and attention, but I don't think it especially
needs more discussion or broader advice.

However, there's an awkward problem blocking the change, namely #184979.
The last time I made any change to passwd.master or group.master that
caused update-passwd to prompt everyone to accept it was in December
2004.  Since then, the policy manual has been updated to say that all
packages must use debconf for prompting (albeit with an exception for
Essential and transitively-Essential packages, but only in that they may
have a fallback mechanism).  base-passwd is not in compliance with this
policy and it will require an extensive rewrite of update-passwd.c to
make it so.

This is absolutely an important problem and one I regard it as my
responsibility to solve; but, as long as I leave passwd.master and
group.master untouched, it is dormant.  If I change those files before
fixing that bug, however, then I know that I will unnecessarily
introduce problems for at least some of the package management tools
that have been developed on the reasonable Policy-derived assumption
that packages aren't going to do non-debconf-based prompting on upgrade.
For a less critical package, this might be an acceptable trade-off, but
base-passwd is pretty much certain to affect everyone and I don't think
I can justify knowingly introducing this kind of breakage.

I've been promising to fix #184979 for rather a long time now and have
been conspicuously failing to get round to it; from my local tree it
looks like all I ever managed to do was put together some template text.
Partially-working patches stand a good chance of getting me to debug
them into a more complete state, so I'd be glad of even incomplete
patches towards this.

-- 
Colin Watson                                       [cjwatson@debian.org]



Added blocking bug(s) of 274229: 184979 Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Fri, 01 Nov 2013 18:06:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#274229; Package base-passwd. (Fri, 01 Nov 2013 19:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. (Fri, 01 Nov 2013 19:45:09 GMT) Full text and rfc822 format available.

Message #52 received at 274229@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: debian-devel@lists.debian.org
Cc: Phillip Susi <psusi@ubuntu.com>, 274229@bugs.debian.org
Subject: Re: System accounts with valid shells
Date: Fri, 01 Nov 2013 12:42:30 -0700
Colin Watson <cjwatson@debian.org> writes:

> However, there's an awkward problem blocking the change, namely #184979.
> The last time I made any change to passwd.master or group.master that
> caused update-passwd to prompt everyone to accept it was in December
> 2004.  Since then, the policy manual has been updated to say that all
> packages must use debconf for prompting (albeit with an exception for
> Essential and transitively-Essential packages, but only in that they may
> have a fallback mechanism).  base-passwd is not in compliance with this
> policy and it will require an extensive rewrite of update-passwd.c to
> make it so.

Ah!  Thank you.  I hadn't realized this was the issue.

I assume that would mean that update-passwd would need to become a client
of the libdebconfclient0 library?

Phillip, given the above background, would you be willing to modify the
libuuid package to use /bin/false or /usr/sbin/nologin instead of /bin/sh
for the shell for the libuuid user?  That package doesn't have the same
issues that base-passwd has.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#274229; Package base-passwd. (Fri, 01 Nov 2013 20:21:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. (Fri, 01 Nov 2013 20:21:11 GMT) Full text and rfc822 format available.

Message #57 received at 274229@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Russ Allbery <rra@debian.org>, 274229@bugs.debian.org
Cc: debian-devel@lists.debian.org, Phillip Susi <psusi@ubuntu.com>
Subject: Re: Bug#274229: System accounts with valid shells
Date: Fri, 1 Nov 2013 20:20:40 +0000
On Fri, Nov 01, 2013 at 12:42:30PM -0700, Russ Allbery wrote:
> Colin Watson <cjwatson@debian.org> writes:
> > However, there's an awkward problem blocking the change, namely #184979.
> > The last time I made any change to passwd.master or group.master that
> > caused update-passwd to prompt everyone to accept it was in December
> > 2004.  Since then, the policy manual has been updated to say that all
> > packages must use debconf for prompting (albeit with an exception for
> > Essential and transitively-Essential packages, but only in that they may
> > have a fallback mechanism).  base-passwd is not in compliance with this
> > policy and it will require an extensive rewrite of update-passwd.c to
> > make it so.
> 
> Ah!  Thank you.  I hadn't realized this was the issue.

I've been terrible at communicating it, so no wonder :-)

> I assume that would mean that update-passwd would need to become a client
> of the libdebconfclient0 library?

That was my thought, yes.  There are probably other ways to do it, but I
think pulling libdebconfclient0 into transitively-Essential is
reasonable at this point (given that it aligns with the long-term plans
for debconf), and is likely to be the simplest change.

> Phillip, given the above background, would you be willing to modify the
> libuuid package to use /bin/false or /usr/sbin/nologin instead of /bin/sh
> for the shell for the libuuid user?  That package doesn't have the same
> issues that base-passwd has.

Right, no reason to couple these.

-- 
Colin Watson                                       [cjwatson@debian.org]



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#274229; Package base-passwd. (Fri, 01 Nov 2013 20:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Phillip Susi <psusi@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. (Fri, 01 Nov 2013 20:36:04 GMT) Full text and rfc822 format available.

Message #62 received at 274229@bugs.debian.org (full text, mbox):

From: Phillip Susi <psusi@ubuntu.com>
To: Russ Allbery <rra@debian.org>
Cc: debian-devel@lists.debian.org, 274229@bugs.debian.org
Subject: Re: System accounts with valid shells
Date: Fri, 01 Nov 2013 16:33:40 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

reopen 274229
thanks

On 11/1/2013 3:42 PM, Russ Allbery wrote:
> Phillip, given the above background, would you be willing to modify
> the libuuid package to use /bin/false or /usr/sbin/nologin instead
> of /bin/sh for the shell for the libuuid user?  That package
> doesn't have the same issues that base-passwd has.

Sure.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSdBAkAAoJEJrBOlT6nu75z8QIAIIusuDVCuNqIL5CcS3T83kU
O8sUGe9i4Xqgah4SiKxqjIRA7Km7ZjUGIJsE/YP/aSxXKXBUMJ5olq0xiHHdh7n8
hrqfvF9rrxrGL1LKFjdFp2esIOz2gQATbN/D4WpCh4JDlgYcTmysB2yGGIvjFsWV
aNcFFpHJUAdT5SyPL3ApznzksyedXfF44bsuAx9mif1EF0bhRgB/b3NwBGQoenAq
R6QXBuf0XLSAFrt33xUjClAIev9P5bXSRAjGjrj8lRLzarG/2KZFvQMGXTEG6Imc
GleqNgGJ/OGirL8i/o3fF9UutHpGsNhR3V3Z4eX2admycWrX6IIlA6PzoEvhcXU=
=Vhfh
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#274229; Package base-passwd. (Tue, 07 Jan 2014 16:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. (Tue, 07 Jan 2014 16:03:04 GMT) Full text and rfc822 format available.

Message #67 received at 274229@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: debian-devel@lists.debian.org
Cc: Russ Allbery <rra@debian.org>, 274229@bugs.debian.org, Phillip Susi <psusi@ubuntu.com>
Subject: Re: Bug#274229: System accounts with valid shells
Date: Tue, 7 Jan 2014 15:59:34 +0000
Russ supplied a patch to allow update-passwd to use debconf for
prompting, which I've now merged after some tweaking between us.  As of
base-passwd 3.5.30, all these accounts will have their shells changed to
/usr/sbin/nologin, with debconf prompts at priority medium defaulting to
true.

Thanks, Russ!

-- 
Colin Watson                                       [cjwatson@debian.org]



Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Tue, 07 Jan 2014 16:06:16 GMT) Full text and rfc822 format available.

Notification sent to David Cantrell <david@cantrell.org.uk>:
Bug acknowledged by developer. (Tue, 07 Jan 2014 16:06:17 GMT) Full text and rfc822 format available.

Message #72 received at 274229-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 274229-close@bugs.debian.org
Subject: Bug#274229: fixed in base-passwd 3.5.30
Date: Tue, 07 Jan 2014 16:03:29 +0000
Source: base-passwd
Source-Version: 3.5.30

We believe that the bug you reported is fixed in the latest version of
base-passwd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 274229@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated base-passwd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Jan 2014 15:41:06 +0000
Source: base-passwd
Binary: base-passwd
Architecture: source i386
Version: 3.5.30
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 base-passwd - Debian base system master password and group files
Closes: 184979 274229
Changes: 
 base-passwd (3.5.30) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Remove config.h.in and configure, now autogenerated by dh-autoreconf.
   * Change the shell of all global static users other than root (which
     retains /bin/sh) and sync (as /bin/sync is rather harmless) to
     /usr/sbin/nologin (closes: #274229; LP: #216813, #248844).
   * Policy version 3.9.5.
 .
   [ Russ Allbery ]
   * Add support for debconf prompting to update-passwd (closes: #184979).
Checksums-Sha1: 
 fbd250a511e09d67ebbfd857b272295b3b9a9c9b 1749 base-passwd_3.5.30.dsc
 b2e529b5e93829da0e3bb1a75d45fc51886c3f0b 52854 base-passwd_3.5.30.tar.gz
 1c18efc68a80afef0fb1a9fdc2c6872a2a57734c 51238 base-passwd_3.5.30_i386.deb
Checksums-Sha256: 
 60398ff42268797fd71b09cbcc8562eed5b04038283d844d500c0242fcfc9b7b 1749 base-passwd_3.5.30.dsc
 b3d23e773bfb7bd3fca4c92e711d2de7aaaea975db1433a09315ddca4371042f 52854 base-passwd_3.5.30.tar.gz
 4e5ddb9985f1e1432981b80a4419329ce7943fb953b4bdcba41ddabc127a18dc 51238 base-passwd_3.5.30_i386.deb
Files: 
 edb88d8ada16c12ca35423a56c0c5f9c 1749 admin required base-passwd_3.5.30.dsc
 b8d33533743267fa9bab7475798c9d50 52854 admin required base-passwd_3.5.30.tar.gz
 045e4f293054e1102d55a651055bdbce 51238 admin required base-passwd_3.5.30_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUswiMzk1h9l9hlALAQgV2hAAuuRZPxLvEL7jIFSFwfsk3lFEh7JMI0RW
Uc4Lysb5LA5/ARNEuEoNMmneG8QbgsivTVqMnGE838aEM7R9+686FZg15dwK5NVS
+wMNMzr9j0cC+aVcQBVx5jB6dkRIhPeK46+Aj0yafIZ57hhWbSPJ6rSPxzzCFAA0
tPJFrTOcjt39Fx7kk+j5M8UX4lC6izbuwdb5mr66QMkwqgE09Z6loloPiGhRYmC2
JwJNw/Ex/pkygEWZNz/Jd0EonuJSAvGQbntnTE9Z1fT7RZKgNGU7TiVW+M7RaqlM
UQ4Mq3oOBh6NjWbp4TNBKEzebQCvjL1sydX/PkIArlnrz6dotelC5Kuw1fZAbvbX
av51oVFSTY8TwhHrJ/2HZYtT2T+JjqEDv0TuNgYDs/Mh3W1NlJLKCdoxoFaDzyco
Axy/BJkzzLchp1UBJVISnoWJPDAytuW0CgefnPXN8rWajwMmtsedTuDgm4jxy6vS
EKnsDR0/z7uQEAwbgbcM2KfUtEh5ZI3TKjlTBw6Rn1Vj7dmFRjK6TOpFcNlTCN97
3hBDZClYDICz+A+mbBkXd9ojqwgMMfiMOq1v3Idst6afsJwUBjmS6LO6PVWFmQqH
0YS7rJOOBN4j1GZh9s62qS3S/KAFyvndLbf7OizBINEl48Za8DiOb0ISZeHISHka
4SZ1rSNwAaY=
=DvUj
-----END PGP SIGNATURE-----




Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Tue, 07 Jan 2014 16:06:17 GMT) Full text and rfc822 format available.

Notification sent to Rogério Brito <rbrito@ime.usp.br>:
Bug acknowledged by developer. (Tue, 07 Jan 2014 16:06:17 GMT) Full text and rfc822 format available.

Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Tue, 07 Jan 2014 16:06:18 GMT) Full text and rfc822 format available.

Notification sent to Aaron Toponce <aaron.toponce@gmail.com>:
Bug acknowledged by developer. (Tue, 07 Jan 2014 16:06:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 04:25:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.