| Summary: | games.eclass creates games user with passwordless login | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Jakub Moc (RETIRED) <jakub> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | games |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 195033 | ||
|
Description
Jakub Moc (RETIRED)
2007-09-23 16:26:31 UTC
games.eclass uses enewuser() which uses `adduser` which by default, disables the account ... i dont know why you think you can login as games w/out a password since it clearly does not work a quick test over here shows correct behavior: # grep games /etc/shadow games:!:13780:0:99999:7::: (where '!' obviously means the account is locked out) it needs /bin/bash as a shell in order to run shell script daemons properly Well, unfortunately this is what I had here: # grep games /etc/shadow games::13230:0:99999:7::: The install on this box might be from 1.4 times or so. Needless to add, the games.eclass forcing /bin/bash totally doesn't help, and the only reference to an ebuild that requires bash (that I could find in the eclass) is some games server that should use s-s-d plus chuid instead. easy enough to add a warning to shadow's pkg_postinst() that scans /etc/shadow for users with blank passwords ... (In reply to comment #3) > easy enough to add a warning to shadow's pkg_postinst() that scans /etc/shadow > for users with blank passwords ... Well, that sounds a lot better than the current situation. :) |