Debian Bug report logs - #330882
base-passwd: getting shells in sync with what package tiger (security auditor) recommends

version graph

Package: base-passwd; Maintainer for base-passwd is Colin Watson <cjwatson@debian.org>; Source for base-passwd is src:base-passwd (PTS, buildd, popcon).

Reported by: Rogério Brito <rbrito@ime.usp.br>

Date: Fri, 30 Sep 2005 09:33:02 UTC

Severity: normal

Tags: patch, security

Merged with 274229, 581899

Found in versions 3.5.8, base-passwd/3.5.10, base-passwd/3.5.20, base-passwd/3.5.22

Fixed in version base-passwd/3.5.30

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#330882; Package base-passwd. (full text, mbox, link).

Acknowledgement sent to Rogério Brito <rbrito@ime.usp.br>:
New Bug report received and forwarded. Copy sent to Colin Watson <cjwatson@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Rogério Brito <rbrito@ime.usp.br>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: base-passwd: getting shells in sync with what package tiger (security auditor) recommends
Date: Fri, 30 Sep 2005 06:23:58 -0300
Package: base-passwd
Version: 3.5.10
Severity: wishlist

Hi there, Colin.

I recently installed some packages in my box to learn more about its
security and vulnerabilities and, one of them, tiger gives some quite
sensible recommendations.

One of them is that the users backup, list and nobody (among others)
should not have shells that are listed in /etc/shells.

I tried changing their shells to something like /bin/false (which is
what Dan Bernstein once recommended, if I am not mistaken), but,
unfortunately, upon reinstallation of base-passwrd (due to some
filesystem corruption), it offered to change back the shells to things
listed in /etc/shells.

Some of the recommendations given by tiger are really meaningful and I
think that they should be followed for making a default Debian install a
step closer to being more secure.


Thanks for your efforts, Rogério Brito.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.13.2-1.hm
Locale: LANG=C, LC_CTYPE=pt_BR (charmap=ISO-8859-1)

Versions of packages base-passwd depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an

base-passwd recommends no packages.

-- no debconf information

-- 
Rogério Brito : rbrito@ime.usp.br : http://www.ime.usp.br/~rbrito
Homepage of the algorithms package : http://algorithms.berlios.de
Homepage on freshmeat:  http://freshmeat.net/projects/algorithms/

Forcibly Merged 274229 330882 581899. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Mon, 17 May 2010 10:51:03 GMT) (full text, mbox, link).

Added tag(s) security. Request was from Piotr Engelking <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 07 May 2011 20:21:03 GMT) (full text, mbox, link).

Severity set to 'normal' from 'wishlist' Request was from Nathanael Nerode <neroden@fastmail.fm> to control@bugs.debian.org. (Sun, 08 Jul 2012 16:48:05 GMT) (full text, mbox, link).

Added tag(s) patch. Request was from Nathanael Nerode <neroden@fastmail.fm> to control@bugs.debian.org. (Sun, 08 Jul 2012 16:48:05 GMT) (full text, mbox, link).

Added blocking bug(s) of 330882: 184979 Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Fri, 01 Nov 2013 18:06:15 GMT) (full text, mbox, link).

Message #16 received at 274229-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: 274229-close@bugs.debian.org
Subject: Bug#274229: fixed in base-passwd 3.5.30
Date: Tue, 07 Jan 2014 16:03:29 +0000
Source: base-passwd
Source-Version: 3.5.30

We believe that the bug you reported is fixed in the latest version of
base-passwd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 274229@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated base-passwd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Jan 2014 15:41:06 +0000
Source: base-passwd
Binary: base-passwd
Architecture: source i386
Version: 3.5.30
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 base-passwd - Debian base system master password and group files
Closes: 184979 274229
Changes: 
 base-passwd (3.5.30) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Remove config.h.in and configure, now autogenerated by dh-autoreconf.
   * Change the shell of all global static users other than root (which
     retains /bin/sh) and sync (as /bin/sync is rather harmless) to
     /usr/sbin/nologin (closes: #274229; LP: #216813, #248844).
   * Policy version 3.9.5.
 .
   [ Russ Allbery ]
   * Add support for debconf prompting to update-passwd (closes: #184979).
Checksums-Sha1: 
 fbd250a511e09d67ebbfd857b272295b3b9a9c9b 1749 base-passwd_3.5.30.dsc
 b2e529b5e93829da0e3bb1a75d45fc51886c3f0b 52854 base-passwd_3.5.30.tar.gz
 1c18efc68a80afef0fb1a9fdc2c6872a2a57734c 51238 base-passwd_3.5.30_i386.deb
Checksums-Sha256: 
 60398ff42268797fd71b09cbcc8562eed5b04038283d844d500c0242fcfc9b7b 1749 base-passwd_3.5.30.dsc
 b3d23e773bfb7bd3fca4c92e711d2de7aaaea975db1433a09315ddca4371042f 52854 base-passwd_3.5.30.tar.gz
 4e5ddb9985f1e1432981b80a4419329ce7943fb953b4bdcba41ddabc127a18dc 51238 base-passwd_3.5.30_i386.deb
Files: 
 edb88d8ada16c12ca35423a56c0c5f9c 1749 admin required base-passwd_3.5.30.dsc
 b8d33533743267fa9bab7475798c9d50 52854 admin required base-passwd_3.5.30.tar.gz
 045e4f293054e1102d55a651055bdbce 51238 admin required base-passwd_3.5.30_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUswiMzk1h9l9hlALAQgV2hAAuuRZPxLvEL7jIFSFwfsk3lFEh7JMI0RW
Uc4Lysb5LA5/ARNEuEoNMmneG8QbgsivTVqMnGE838aEM7R9+686FZg15dwK5NVS
+wMNMzr9j0cC+aVcQBVx5jB6dkRIhPeK46+Aj0yafIZ57hhWbSPJ6rSPxzzCFAA0
tPJFrTOcjt39Fx7kk+j5M8UX4lC6izbuwdb5mr66QMkwqgE09Z6loloPiGhRYmC2
JwJNw/Ex/pkygEWZNz/Jd0EonuJSAvGQbntnTE9Z1fT7RZKgNGU7TiVW+M7RaqlM
UQ4Mq3oOBh6NjWbp4TNBKEzebQCvjL1sydX/PkIArlnrz6dotelC5Kuw1fZAbvbX
av51oVFSTY8TwhHrJ/2HZYtT2T+JjqEDv0TuNgYDs/Mh3W1NlJLKCdoxoFaDzyco
Axy/BJkzzLchp1UBJVISnoWJPDAytuW0CgefnPXN8rWajwMmtsedTuDgm4jxy6vS
EKnsDR0/z7uQEAwbgbcM2KfUtEh5ZI3TKjlTBw6Rn1Vj7dmFRjK6TOpFcNlTCN97
3hBDZClYDICz+A+mbBkXd9ojqwgMMfiMOq1v3Idst6afsJwUBjmS6LO6PVWFmQqH
0YS7rJOOBN4j1GZh9s62qS3S/KAFyvndLbf7OizBINEl48Za8DiOb0ISZeHISHka
4SZ1rSNwAaY=
=DvUj
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 28 Aug 2014 07:29:54 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 16 02:13:57 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.