[Pkg-sysvinit-devel] Bug#595046: sulogin: Check for locked root password is wrong
Kevin Goodsell
kevin-dated-1291049637.d96c6f at omegacrash.net
Tue Aug 31 17:07:48 UTC 2010
Package: sysvinit-utils
Version: 2.88dsf-12
Severity: normal
sysvinit includes a patch, 91_sulogin_lockedpw.dpatch, which is intended
to make sulogin skip asking for the root password when the root password
is locked (via passwd -l). This patch was taken from Ubuntu, where the
root password is locked by default. However the patch does not work
correctly if the root password was ever set, meaning it is sometimes
broken in Ubuntu and pretty much always broken in Debian. It relies on
the encrypted password being exactly "!", but locking a password only
prepends "!" to the existing encrypted password, it does not replace it.
The Ubuntu bug is:
https://bugs.launchpad.net/ubuntu/+source/sysvinit/+bug/268271
The Debian bug that included the patch is:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=326678
It looks like it should be rather easy to replace, e.g.:
strcmp(pwd.pw_passwd, "!") == 0
with
pwd.pw_passwd[0] == '!'
Though perhaps a more general check for invalid passwords is warranted.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages sysvinit-utils depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
sysvinit-utils recommends no packages.
Versions of packages sysvinit-utils suggests:
pn sash <none> (no description available)
-- no debconf information
More information about the Pkg-sysvinit-devel
mailing list