189412 CVE-2007-5714 2007-08-18 23:18 0000 net-p2p/mldonkey created user "p2p" has a passwordless login (CVE-2007-5714) 2007-11-07 20:04:17 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED [glsa errata?] jaervosz P2 normal --- 1 gentoo@torabi.de security@gentoo.org net-p2p@gentoo.org gentoo@torabi.de 2007-08-18 23:18:41 0000 I found out that the user "p2p" on my system had a passwordless login. It was even possible to login via ssh! I did not create that user; I think it was created by "net-p2p/mldonkey-2.8.2-r1" On an older installation that problem was not existing. I did not check yet what happens with the recent ebuilds. genlop mldonkey: * net-p2p/mldonkey Wed Mar 14 18:23:06 2007 >>> net-p2p/mldonkey-2.8.2-r1 Sun Apr 8 23:29:15 2007 >>> net-p2p/mldonkey-2.8.3 Wed Apr 11 00:32:12 2007 >>> net-p2p/mldonkey-2.8.4 Fri Jun 15 16:09:15 2007 >>> net-p2p/mldonkey-2.8.5 Sun Jul 29 05:50:20 2007 >>> net-p2p/mldonkey-2.9.0 If you need more information please tell. I did not attach an emerge --info because it might be irrelevant and has probably changed since March. jakub@gentoo.org 2007-08-19 06:58:34 0000 > I did not check yet what happens with the recent ebuilds. Still the same thing. <snip> enewuser ${MLUSER} -1 /bin/bash /home/p2p users </snip> jaervosz@gentoo.org 2007-08-19 19:04:42 0000 net-p2p please advise and fix as necessary. gentoo@torabi.de 2007-08-20 09:33:29 0000 (In reply to comment #1) > enewuser ${MLUSER} -1 /bin/bash /home/p2p users Unfortunatly I am not to aware of the password-problem in that line, are all the others that one gets with: grep enewuser /usr/portage/* | grep bash fine? jakub@gentoo.org 2007-08-20 09:36:37 0000 (In reply to comment #3) > Unfortunatly I am not to aware of the password-problem in that line, are all > the others that one gets with: enewuser doesn't set any password, the shell should be -1 (i.e. /bin/false) to prevent this issue. If that's not possible, then mldonkey has bigger problems than just enewuser. gentoo@torabi.de 2007-08-21 12:36:37 0000 If that user does need a valid shell how about a random password? Since the last argument of enewuser [params] is passed directly to useradd this should work: <workaround> enewuser ${MLUSER} -1 /bin/bash /home/${MLUSER} users --password $(dd count=1 if=/dev/random 2>/dev/null| md5sum | awk '{print $1}') </workaround> or am I wrong? What is done here is I'll get some random data from the kernel (/dev/random) and calculate the md5sum of that. If the password is ever needed the admin can still change it. I'll have to ask again: Does this problem exist in all packages that use enewuser with a valid shell? armin76@gentoo.org 2007-08-27 17:19:08 0000 Fixed in -r3. jaervosz@gentoo.org 2007-08-28 20:30:17 0000 Arches please test and mark stable. Target keywords are: mldonkey-2.9.0-r3.ebuild:KEYWORDS="~alpha amd64 hppa ia64 ppc ~sparc x86" jer@gentoo.org 2007-08-29 00:13:48 0000 Stable for HPPA. armin76@gentoo.org 2007-08-29 09:36:43 0000 ia64/x86 stable dertobi123@gentoo.org 2007-08-29 19:16:48 0000 ppc stable jonas@chown.dk 2007-09-04 19:37:25 0000 net-p2p/mldonkey-2.9.0-r3 USE="gd gtk -doc -fasttrack -gnutella -guionly -magic" 1. Emerges on AMD64. 2. No collisions etc. 3. Works on AMD64 and p2p user no longer have a valid shell. Portage 2.1.2.12 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64) ================================================================= System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 03 Sep 2007 21:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo" LC_ALL="en_DK.utf8" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS angelos@gentoo.org 2007-09-05 14:09:42 0000 amd64 stable jaervosz@gentoo.org 2007-09-08 15:47:56 0000 Hmmm, if this report is correct it is worth a GLSA in my opinion. Comments/thoughts? aetius@gentoo.org 2007-09-09 22:26:12 0000 Yep, GLSA it - there's guaranteed to be systems out there with this user created, since everyone who emerged it would have added the user. jakub@gentoo.org 2007-09-09 22:30:59 0000 Just noting here that mere upgrading doesn't actually solve the issue. enewuser won't do anything if the user already exists - people who have installed this before need to either userdel the account and then upgrade, or modify it manually. legate@legate.xs4all.nl 2007-09-10 14:38:04 0000 >Just noting here that mere upgrading doesn't actually solve the issue. enewuser >won't do anything if the user already exists - people who have installed this >before need to either userdel the account and then upgrade, or modify it >manually. I may be dense, but if you're not gonna add logic to change the shell then what exactly is the point of adding a new revision? FWIW, 4 other users had the same problem (valid shell with no password set) on my system: uucp, games, postgres and jetty gentoo@torabi.de 2007-09-10 15:40:32 0000 > exactly is the point of adding a new revision? Now the problem does not occur anymore on newly installed systems. > FWIW, 4 other users had the same problem (valid shell with no password set) on > my system: uucp, games, postgres and jetty That is what I guessed there are probably some other packages with the same problem. I tried it with flexlm-9.5-r1 (enewuser flexlm -1 /bin/bash /opt/flexlm flexlm -c "FlexLM server user") but that account seems secure. Maybe a check like in =app-forensics/rkhunter-1.2.9 (/usr/bin/rkhunter in line 4145) should be put in the ebuilds. jaervosz@gentoo.org 2007-09-10 16:21:16 0000 legate you're right. We'll have a GLSA to get this fixed. falco@gentoo.org 2007-10-24 22:15:55 0000 GLSA 200710-25, sorry for the delay max@city.veganet.ru 2007-10-26 08:59:04 0000 (In reply to comment #19) > GLSA 200710-25, sorry for the delay > JFYI, there is a difference between no password and empty password. Here is a paragraph from man 5 shadow If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in, subject to pam(7). jaervosz@gentoo.org 2007-10-26 11:20:33 0000 For the record: As mentioned in the original bug report it affects ssh if you have PermitEmptyPasswords yes and UsePAM no. subcreator@post.ru 2007-10-26 15:48:47 0000 That DOESN'T work in any case! # cat /etc/passwd /etc/shadow | grep p2p p2p:x:106:100:added by portage for mldonkey:/home/p2p:/bin/bash p2p:!:13597:0:99999:7::: # cat /etc/ssh/sshd_config | egrep "PermitEmpty|UsePAM" PermitEmptyPasswords yes UsePAM no # ssh p2p@localhost Permission denied (publickey,keyboard-interactive). jaervosz@gentoo.org 2007-10-26 17:33:05 0000 Hmmm actually I'm not able to reproduce this using enewuser. jakub@gentoo.org 2007-10-26 18:50:54 0000 (In reply to comment #23) > Hmmm actually I'm not able to reproduce this using enewuser. See Bug 193541. No idea how many people are affected by this and what caused it. max@city.veganet.ru 2007-10-26 22:39:14 0000 (In reply to comment #24) > (In reply to comment #23) > > Hmmm actually I'm not able to reproduce this using enewuser. > > See Bug 193541. No idea how many people are affected by this and what caused > it. Actually i don't care about that bug, but i'm little scared about how easy GLSA with High importance can be pushed based on the wrong roots and providing resolution unrelated to the real problem. This drops shadow on GLSA process in overall. jaervosz@gentoo.org 2007-10-27 07:35:00 0000 This seems like a major slip:( Reopning to decide what to do. I propose an errata. jaervosz@gentoo.org 2007-10-27 07:36:14 0000 Or perhaps just an update stating that it have to be an old install? alexxy@gentoo.org 2007-10-27 07:41:12 0000 (In reply to comment #27) > Or perhaps just an update stating that it have to be an old install? > Close this bug since it's not reproducible '!' in the second fiel in /etc/shadow means that user is locked and can't login anymore rbu@gentoo.org 2007-10-27 09:57:03 0000 What mistake are we discussing here? 1) That the passwd/shadow situation cannot be reproduced with recent installs? 2) That the vulnerability (if reproduced) is invalid? Comment 22 seems to point at (2), but I have to add there: It does work if you enable PAM (UsePAM yes). If we talk about (1): To update the GLSA, we'd have to find out when enewuser was changed to insert a ":!:" instead of "::". subcreator@post.ru 2007-10-29 07:17:16 0000 2 Robert Buchholz: I installed mldonkey on 25 of march 2007, so the bug at least 7 months old. I.e. all ebuilds later than that date is unaffected. rbu@gentoo.org 2007-10-31 01:09:38 0000 When updating the GLSA, please add a reference to CVE-2007-5714. jaervosz@gentoo.org 2007-11-07 20:04:17 0000 Reworded description slightly and added CVE entry. - This user is created with a valid login shell and no password. + With older Portage versions this user is created with a valid login + shell and no password.