Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 1507 - root exploitable login with default PAM installation
Summary: root exploitable login with default PAM installation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: x86 Linux
: High blocker (vote)
Assignee: Daniel Robbins (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-04-03 15:34 UTC by Preston A. Elder
Modified: 2003-02-04 19:42 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Preston A. Elder 2002-04-03 15:34:06 UTC 
By default, the /etc/pam.d/system-auth file has 4 entries that reference
/lib/security/pam_pwdb.so.  ALL of these need to be changed to reference
/lib/security/pam_unix.so.

The effect of this bug is that anyone who has a valid password for any user on
the system can login as root either from console by failing to login with that
user ID 3 times, and then on the 4th attempt, succeeding to login.

Please create a new ebuild of PAM that fixes this.
Comment 1 Daniel Robbins (RETIRED) gentoo-dev 2002-04-03 22:16:24 UTC 
we have a new shadow that fixes this now.  Apparently pam_pwdb is broken --
wonderful.