Debian Bug report logs - #341230
Should use a versioned Depends on libpam-modules

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christian Gennerat <Christian.Gennerat@m4x.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: passwd: Partial changes with chfn other values

Date: Tue, 29 Nov 2005 13:28:51 +0100

Package: passwd
Version: 1:4.0.13-7
Severity: important

When a chfn is done by root, to change only one value,
other values are taken from the root-gecos

libs:~#  chfn -f newus -r ndesk -w ntel -h nhom -o noth newuser
libs:~# grep newus /etc/passwd
newuser:x:1009:1009:newus,ndesk,ntel,nhom,noth:/home/newuser:/bin/bash
 
libs:~# chfn -h HomeNew newuser
libs:~# grep newus /etc/passwd
newuser:x:1009:1009:root,rroot,wroot,HomeNew,oroot:/home/newuser:/bin/bash
libs:~# grep wroot /etc/passwd
root:x:0:0:root,rroot,wroot,hroot,oroot:/root:/bin/bash
newuser:x:1009:1009:root,rroot,wroot,HomeNew,oroot:/home/newuser:/bin/bash



-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i586)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.23
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to fr_FR@euro)

Versions of packages passwd depends on:
ii  debianutils                   2.15.1     Miscellaneous utilities specific t
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  libpam-modules                0.76-22    Pluggable Authentication Modules f
ii  libpam0g                      0.79-3     Pluggable Authentication Modules l
ii  login                         1:4.0.13-7 system login tools

passwd recommends no packages.

-- debconf information:
  passwd/password-mismatch:
* passwd/username: xg
  passwd/password-empty:
* passwd/md5: false
  passwd/user-uid:
* passwd/shadow: true
  passwd/username-bad:
* passwd/user-fullname: x-g
* passwd/make-user: true
  passwd/title:
  passwd/retry-ppp: true
  passwd/keymap-failed:
  passwd/stop-ppp: true
  passwd/selection-path: simple
  passwd/dselect:
  passwd/login:
  passwd/install-problem: true

Message #10 received at 341230@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Christian Gennerat <Christian.Gennerat@m4x.org>, 341230@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#341230: passwd: Partial changes with chfn other values

Date: Tue, 29 Nov 2005 17:56:21 +0100

severity 341230 normal
tags 341230 unreproducible
thanks

Quoting Christian Gennerat (Christian.Gennerat@m4x.org):
> Package: passwd
> Version: 1:4.0.13-7
> Severity: important
> 
> When a chfn is done by root, to change only one value,
> other values are taken from the root-gecos
> 
> libs:~#  chfn -f newus -r ndesk -w ntel -h nhom -o noth newuser
> libs:~# grep newus /etc/passwd
> newuser:x:1009:1009:newus,ndesk,ntel,nhom,noth:/home/newuser:/bin/bash
>  
> libs:~# chfn -h HomeNew newuser
> libs:~# grep newus /etc/passwd
> newuser:x:1009:1009:root,rroot,wroot,HomeNew,oroot:/home/newuser:/bin/bash
> libs:~# grep wroot /etc/passwd
> root:x:0:0:root,rroot,wroot,hroot,oroot:/root:/bin/bash
> newuser:x:1009:1009:root,rroot,wroot,HomeNew,oroot:/home/newuser:/bin/bash

I absolutely can't reproduce this behaviour here:

mykerinos:~# adduser krabs
Ajout de l'utilisateur « krabs »...
Ajout du nouveau groupe « krabs » (1004).
Ajout du nouvel utilisateur « krabs » (1004) avec le groupe « krabs ».
Création du répertoire personnel « /home/krabs ».
Copie des fichiers depuis « /etc/skel »
Enter new UNIX password:
Retype new UNIX password:
passwd : le mot de passe a été mis à jour avec succès
Modification des informations relatives à l'utilisateur krabs
Entrez la nouvelle valeur ou « Entrée » pour conserver la valeur proposée
        Nom complet []: Captain Krabs
        N° de bureau []: The Crusty Krab
        Téléphone professionnel []: Bikini Bottom
        Téléphone personnel []: Oceans
        Autre []: Friend of Spongebob
Ces informations sont-elles correctes [o/N] ? o
mykerinos:~# grep root /etc/passwd
root:x:0:0:root,rroot,wroot,hroot,oroot:/root:/bin/bash
oper:x:0:0:root:/oper:/oper/oper.sh
mykerinos:~# chfn -h NewHome krabs
mykerinos:~# grep krabs /etc/passwd
krabs:x:1004:1004:Captain Krabs,The Crusty Krab,Bikini Bottom,NewHome,Friend of Spongebob:/home/krabs:/bin/bash


I suspect some mess with /etc/pam.d/chfn. I should be something like:

auth            sufficient      pam_rootok.so
@include common-auth
@include common-account
@include common-session

Message #19 received at 341230@bugs.debian.org (full text, mbox, reply):

From: Nicolas François <nicolas.francois@centraliens.net>

To: Christian Gennerat <Christian.Gennerat@m4x.org>, 341230@bugs.debian.org

Subject: Re: Bug#341230: passwd: Partial changes with chfn other values

Date: Tue, 29 Nov 2005 22:05:24 +0100

retitle 341230 [TO CLOSE 20051211] passwd: Partial changes with chfn other values
thanks

Hello,

On Tue, Nov 29, 2005 at 01:28:51PM +0100, Christian.Gennerat@m4x.org wrote:
> 
> When a chfn is done by root, to change only one value,
> other values are taken from the root-gecos

> ii  libpam-modules                0.76-22    Pluggable Authentication Modules f
                                    ^^^^^^^
That is the reason.

I could reproduce it with libpam-modules 0.76-22, and could not with
0.79-3.

You should update this package.

I'm not closing this bug since I would like to investigate a little bit
more (I will close it in 1 or 2 weeks).

Kind Regards,
-- 
Nekral

Message #26 received at 341230@bugs.debian.org (full text, mbox, reply):

From: Nicolas François <nicolas.francois@centraliens.net>

To: Christian Gennerat <Christian.Gennerat@m4x.org>, 341230@bugs.debian.org

Subject: Re: Bug#341230: passwd: Partial changes with chfn other values

Date: Tue, 29 Nov 2005 22:47:50 +0100

retitle 341230 passwd: Partial changes with chfn other values
tags 341230 upstream
tags 341230 - unreproducible
thanks

Hello Tomasz,

Here is some more information.

In chfn.c, we use getpwnam to retrieve the passwd structure for the given
user.
The reason this bug appear wim pam_unix 0.76 and not with 0.79 is that
pam_unix also uses getpwnam, and thus changes the internal structure
returned (to both shadow and pam_unix).

I think we should either duplicate this structure, or use getpwnam_r.

I'm reverting the title change, since I do think it is a shadow bug (e.g.
another PAM module could still use getpwnam).

Maybe this should also be checked in the other shadow utilities.

PS: upgrading to libpam-modules 0.79 is still recommended.

Kind Regards,
-- 
Nekral

Message #37 received at 341230@bugs.debian.org (full text, mbox, reply):

From: Tomasz Kłoczko <kloczek@zie.pg.gda.pl>

To: Nicolas François <nicolas.francois@centraliens.net>, 341230@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#341230: passwd: Partial changes with chfn other values

Date: Wed, 30 Nov 2005 00:10:23 +0100

Dnia 29-11-2005, wto o godzinie 22:47 +0100, Nicolas François
napisał(a):
> retitle 341230 passwd: Partial changes with chfn other values
> tags 341230 upstream
> tags 341230 - unreproducible
> thanks
> 
> Hello Tomasz,
> 
> Here is some more information.
> 
> In chfn.c, we use getpwnam to retrieve the passwd structure for the given
> user.
> The reason this bug appear wim pam_unix 0.76 and not with 0.79 is that
> pam_unix also uses getpwnam, and thus changes the internal structure
> returned (to both shadow and pam_unix).
> 
> I think we should either duplicate this structure, or use getpwnam_r.

getpwnam_r() it is only threas safe version od getpwnam(). chfn and
shadow do not uses threads.
For me it looks like bug in PAM so I don't see any things for adjust/fix
on shadow level.

kloczek

Message #42 received at 341230@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Tomasz Kłoczko <kloczek@zie.pg.gda.pl>, 341230@bugs.debian.org, libpam-modules@packages.debian.org

Subject: Re: Bug#341230: [Pkg-shadow-devel] Bug#341230: passwd: Partial changes with chfn other values

Date: Wed, 30 Nov 2005 06:50:44 +0100

retitle 341230 Should use a versioned Depends on libpam-modules
thanks

> getpwnam_r() it is only threas safe version od getpwnam(). chfn and
> shadow do not uses threads.
> For me it looks like bug in PAM so I don't see any things for adjust/fix
> on shadow level.


This convinces me that we should at least use a versioned Depends on
libpam-modules to avoid this specific problem and enforce migration of
both packages at the same time.

Unfortunately, this would add more complexity to the dependency chain
but anyway, login already uses a versioned Depends on
libpam-modules...while passwd doesn't depend on it at all (which might
be a bug).

Steve, advice ? Look for #341230 bug log for the whole story.

Message #49 received at 341230@bugs.debian.org (full text, mbox, reply):

From: Nicolas François <nicolas.francois@centraliens.net>

To: 341230@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#341230: passwd: Partial changes with chfn other values

Date: Wed, 30 Nov 2005 23:16:52 +0100

[Message part 1 (text/plain, inline)]

Hello Tomasz,


On Wed, Nov 30, 2005 at 12:10:23AM +0100, kloczek@zie.pg.gda.pl wrote:
> For me it looks like bug in PAM so I don't see any things for adjust/fix
> on shadow level.

I really think this is a bug.
The getpwnam man page specifies:

   The getpwnam() and getpwuid() functions return a pointer  to  a  passwd
   structure,  or  NULL  if  the  matching  entry is not found or an error
   occurs.  If an error occurs, errno is set appropriately.  If one  wants
   to  check  errno  after  the  call, it should be set to zero before the
   call.

   The return value may point to static area, and may  be  overwritten  by
   subsequent calls to getpwent(), getpwnam(), or getpwuid().

There is no garranty that a PAM module will not use one of these
functions.  (This is the case at least of pam_unix in PAM 0.76)
So the structure must be duplicated before being used (there are call to
PAM between the call to getpwnam and the usage of the passwd structure).


I identified another similar issue:
When chsh is used without -s (i.e. in interractive mode) and by root,
chsh <user> should display the current shell of <user> between squared
brackets. With libpam-modules 0.76, the defaut shell is root's one, not
<user>'s one.


In the GNU libc (currently), only a call to the same function (getpwent(),
getpwnam(), or getpwuid()) overrides the static area (i.e. there is one
static area for each function).

This patch should fix this kind of issues for the GNU libc. However,
getpwuid is often called after the call to getpwnam in shadow, and thus
more issues may appear on no-GNU libc.

I will try to see if there is such issue exists (but I won't have any way
to reproduce any bug).




The attached patch applies cleanly to your CVS.

Kind Regards,
-- 
Nekral

[468_duplicate_passwd_struct_before_use.upstream (text/plain, attachment)]

Message #56 received at 341230-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 341230-close@bugs.debian.org

Subject: Bug#341230: fixed in shadow 1:4.0.14-1

Date: Fri, 06 Jan 2006 11:32:12 -0800

Source: shadow
Source-Version: 1:4.0.14-1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.14-1_i386.deb
  to pool/main/s/shadow/login_4.0.14-1_i386.deb
passwd_4.0.14-1_i386.deb
  to pool/main/s/shadow/passwd_4.0.14-1_i386.deb
shadow_4.0.14-1.diff.gz
  to pool/main/s/shadow/shadow_4.0.14-1.diff.gz
shadow_4.0.14-1.dsc
  to pool/main/s/shadow/shadow_4.0.14-1.dsc
shadow_4.0.14.orig.tar.gz
  to pool/main/s/shadow/shadow_4.0.14.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 341230@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  6 Jan 2006 07:42:52 +0100
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.14-1
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 334264 335381 336649 338373 338410 339554 340578 340826 340828 341230 341489 342102 342858 343473 343534 343595 344964 345659
Changes: 
 shadow (1:4.0.14-1) unstable; urgency=low
 .
   * The "Crottin de Chavignol" release
   * New upstream release. This release fixes the following issues:
     - French useradd no longer documents nonexisting -n option
       Closes: #340578
     - Russian translation update. Closes: #340826
     - Fix German translation. Closes: #338373
     - Swedish translation update. Closes: #334264
     - Ukrainian translation update. Closes: #335381
     - Tagalog translation update. Closes: #336649
     - French translation update. Closes: #338410
     - Simplified Chinese translation update. Closes: #339554
     - Russian man pages translation update. Closes: #340828
   * Upstream bugs not already fixed in upstream releases or CVS:
     - 468_duplicate_passwd_struct_before_usage
       Duplicate the passwd structures retrieved by getpwnam before calling
       PAM. Closes: #341230
   * Debian specific fixes:
     - 502_fix_generated_man_pages
       remove the occurences of ’ which is not supported by the current version
       of docbook-xsl in Debian. Closes: #341489
   * Debconf translation updates:
     - Basque updated. Closes: #342102
     - Catalan updated. Closes: #344964
   * Debian packaging fixes:
     - debian/rules, debian/login.files, debian/passwd.files:
       Use dh_install instead of old dh_movefiles for moving files from
       debian/tmp and rename {login, passwd}.files to {login,passwd}.install
       Closes: #343534
     - debian/rules:
       debian/rules: stop building login for Hurd, which breaks bootstrap
       Thanks to Michael Banck for the patch. Closes: #343473
     - debian/passwd.config:
       call programs using [a-z] under a C locale. Thanks Denis Barbier
       for the patch. Closes: #343595
     - debian/rules, debian/shells, debian/passwd.postinst:
       Remove the /usr/share/passwd/shells files and the postinst code that
       installed it as /etc/shells. This is now done by debianutils.
       Closes: #342858
     - Also remove README.shells, which should be distributed by debianutils.
     - debian/passwd.postrm:
       Do not remove /etc/shells on purge. Closes: #345659
     - Fix the version of an old entry in NEWS.Debian
     - Do not distribute the pam.d files for commands with disabled PAM support
       (chage, chpasswd, groupadd, groupdel, groupmod, useradd, userdel,
       usermod)
Files: 
 08b88c1ddb115bfb520d462046a6efe7 867 admin required shadow_4.0.14-1.dsc
 3de4a6143346a32547a5931feadadcc5 1829083 admin required shadow_4.0.14.orig.tar.gz
 2fd0cd3973513d15d8586a9572000b65 164956 admin required shadow_4.0.14-1.diff.gz
 5d948f10a6f407e76981040a91926504 719280 admin required passwd_4.0.14-1_i386.deb
 d87ae8d85a5cc90696e043dc5f59dc2b 645852 admin required login_4.0.14-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDvpDW1OXtrMAUPS0RAmQeAKCOIZXixWfCn1i1jVcLHP+/0osrbgCgixHG
eTAQYITklq2wGk4P+GITdhc=
=USJV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.