[Pkg-shadow-devel] Bug#304350: marked as done (Please ask twice for passwords, even when DEBCONF_PRIORITY=critical)
Debian Bug Tracking System
owner@bugs.debian.org
Tue, 05 Jul 2005 16:49:17 -0700
Your message dated Tue, 05 Jul 2005 16:02:32 -0400
with message-id <E1Dptcm-0006AE-00@newraff.debian.org>
and subject line Bug#304350: fixed in shadow 1:4.0.3-36
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Apr 2005 15:11:14 +0000
>From debian@layer-acht.org Tue Apr 12 08:11:14 2005
Return-path: <debian@layer-acht.org>
Received: from bone.digitalis.org [212.12.48.27]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLN2n-0003yE-00; Tue, 12 Apr 2005 08:11:14 -0700
Received: from localhost (bone [127.0.0.1])
by bone.digitalis.org (Postfix) with ESMTP id A56B4329948
for <submit@bugs.debian.org>; Tue, 12 Apr 2005 17:10:52 +0200 (CEST)
Received: from bone.digitalis.org ([127.0.0.1])
by localhost (bone [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 07240-02 for <submit@bugs.debian.org>;
Tue, 12 Apr 2005 17:10:52 +0200 (CEST)
Received: from matrix.athome (c212252.adsl.hansenet.de [213.39.212.252])
(using SSLv3 with cipher RC4-MD5 (128/128 bits))
(Client did not present a certificate)
by bone.digitalis.org (Postfix) with ESMTP id DFC97329947
for <submit@bugs.debian.org>; Tue, 12 Apr 2005 17:10:51 +0200 (CEST)
From: Holger Levsen <debian@layer-acht.org>
To: submit@bugs.debian.org
Subject: always ask for passwords twice - also in critical installations
User-Agent: KMail/1.7.1
MIME-Version: 1.0
Date: Tue, 12 Apr 2005 17:10:29 +0200
Content-Type: multipart/signed;
boundary="nextPart2953833.v7dXnGNX04";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200504121710.38344.debian@layer-acht.org>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at digitalis.org
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--nextPart2953833.v7dXnGNX04
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
package: shadow
Hi,
currently, when doing d-i installs with DEBCONF_PRIORITY, root and user=20
passwords are only asked once (if not preseeded). IMO this is a grave bug, =
as=20
this provides no way to detect typos, so users will choose simple passwords=
=2E=20
(Or make typos...) And it's also different from all password prompting use=
r=20
interfaces I have seen.
<h01ger> bubulle: are you still of the opinion that it's sane to only ask f=
or=20
the rootpw once if DEBCONF_PRIORITY=3Dcritical ?
<bubulle> h01ger: yes, but, well, my opinion is maybe not what is to be=20
implemented, after all.... I gave my arguments when this discussion occured=
a=20
while ago, I have no new argument pro or against this.
<h01ger> bubulle: i'm strictly against asking for passwords only once. How =
to=20
detect typos that way ? There is no way so people will choose passwords lik=
e=20
"mate" or "123" :-( If you ask for passwords, you have to confirm them. For=
=20
critical installation mode, $disabled as a password would be much more=20
handy :)
<h01ger> bubulle: but we can discuss this nicely at debconf or maybe=20
linuxtag/karlsruhe allready ?
<bubulle> h01ger: Sure. I think that, indeed, this decision is among those=
=20
which pertain to the whole d-i team.
<bubulle> As shadow maintainer now (sigh), I will implement what is judged =
as=20
most appropriate by the d-i team, as this feature is only used during=20
installs
<bubulle> [...] I *will* deal with that post-sarge...but, again, after taki=
ng=20
opinions from either the d-i team, or the technical comitee, or by starting=
a=20
flamew^W discussion in -devel
<h01ger> bubulle: you might even argue that it's a debian decision. as=20
"ergonomic user interfaces" are demanded by some laws (you are not allowed =
to=20
use unergonomic software) and entering a password only once is against all=
=20
users expectations. - even admins have a right for ergonomic software :-) b=
ut=20
i absolutly agree with post-sarge and team-decision.
<bubulle> h01ger: yep, the decision about prompting the root pw twice is a=
=20
general design decision, so a "debian" decision (thus, technical comitee,=20
again?)
regards,
Holger
--nextPart2953833.v7dXnGNX04
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQBCW+TuUHLQNqxYNSARAo55AJ0a4GE0JzYF69FUGUBJfoyvfwscVwCgsfDG
FyC1FKQ8ve6mMJUjB/F1Wgk=
=9IRv
-----END PGP SIGNATURE-----
--nextPart2953833.v7dXnGNX04--
---------------------------------------
Received: (at 304350-close) by bugs.debian.org; 5 Jul 2005 20:13:00 +0000
>From katie@ftp-master.debian.org Tue Jul 05 13:12:59 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dptmt-0003si-00; Tue, 05 Jul 2005 13:12:59 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Dptcm-0006AE-00; Tue, 05 Jul 2005 16:02:32 -0400
From: Christian Perrier <bubulle@debian.org>
To: 304350-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#304350: fixed in shadow 1:4.0.3-36
Message-Id: <E1Dptcm-0006AE-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 05 Jul 2005 16:02:32 -0400
Delivered-To: 304350-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 20
Source: shadow
Source-Version: 1:4.0.3-36
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:
login_4.0.3-36_i386.deb
to pool/main/s/shadow/login_4.0.3-36_i386.deb
passwd_4.0.3-36_i386.deb
to pool/main/s/shadow/passwd_4.0.3-36_i386.deb
shadow_4.0.3-36.diff.gz
to pool/main/s/shadow/shadow_4.0.3-36.diff.gz
shadow_4.0.3-36.dsc
to pool/main/s/shadow/shadow_4.0.3-36.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 304350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 20 Jun 2005 23:37:56 +0300
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-36
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description:
login - system login tools
passwd - change and administer password and group data
Closes: 75181 78961 87301 109279 192849 219321 244754 245332 248150 256732 261490 266281 269583 276419 286258 286616 287410 288106 288827 290842 298060 298773 304350 309408 312428 312429 312430 312431 312471 314303 314407 314423 314539 314727 315362 315372 315375 315378 315391 315407 315426 315429 315434 315483 315567 315727 315767 315783 315809 315812 315840 315972 316026
Changes:
shadow (1:4.0.3-36) unstable; urgency=low
.
* Debian specific programs fixes:
- Re-enable logging and displaying failures on login when login is
compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
faillog file if it does not exist on postinst (as on Woody).
Closes: #192849
- do not localize login's syslog messages.
* Debian packaging fixes:
- Fix FTBFS with new dpkg 1.13 and use a correct dpkg-architecture
invocation. Closes: #314407
- Add a comment about potential sensitive information exposure
when LOG_UNKFAIL_ENAB is set in login.defs
Closes: #298773
- Remove limits.5 and limits.conf.5 man pages which do not
reflect the way we deal with limits in Debian
Closes: #288106, #244754
- debian/login.defs:
- Make SU_PATH and PATH consistent with the values used in /etc/profile
Closes: #286616
- Comment the UMASK setting which is more confusing than useful
as it only affects console logins. Better use pam_umask instead
Closes: #314539, #248150
- Add a comment about "appropriate" values for umask
Closes: #269583
- Correct the assertion about the variable defined by QMAIL_DIR
which is MAILDIR, not MAIL
Closes: #109279
- Move the PASS_MAX_LEN variable at the end of login.defs as this
is obsoleted when using PAM
Closes: #87301
- debian/passwd.config:
- Re-enable the password confirmation question at critical priority
Closes: #304350
- Do no prompt again for the login name when the two passwords don't
match while creating a new user
Closes: #245332
- debian/add-shell.sh, debian/remove-shell.sh, debian/shadowconfig.sh,
debian/passwd.config, debian/passwd.postinst:
- checked for bashisms, replaced "#!/bin/bash" with "#!/bin/sh",
Closes: #315767
- replaced "test XXX -a YYY" XSI:isms with "test XXX && test YYY",
for rationale see:
http://www.opengroup.org/onlinepubs/009695399/utilities/test.html
- replaced all unneeded "egrep"s with basic "grep"s
Closes: #256732
- debian/rules:
Remove the setuid bit on login
Closes: #298060
- debian/passwd.templates:
Templates rewrite to shorten them down a little and make them DTSG
compliant. Give more details about what the user's full name is used
for.
Closes: #287410
- Updated to Standards: 3.6.2 (checked)
* Debconf translation updates:
- Estonian added. Closes: #312471
- Basque updated. Closes: #314303
- Malagasy updated. Closes: #290842
- Punjabi updated. Closes: #315372
- Danish updated. Closes: #315378
- Polish updated. Closes: #315391
- Japanese updated. Closes: #315407
- Brazilian Portuguese updated. Closes: #315426
- Czech updated. Closes: #315429
- Spanish updated. Closes: #315434
- Lithuanian updated. Closes: #315483
- Galician updated. Closes: #315362
- Portuguese updated. Closes: #315375
- Simplified Chinese updated. Closes: #315567
- French updated
- Ukrainian updated. Closes: #315727
- Welsh updated. Closes: #315809
- Slovak updated. Closes: #315812
- Romanian updated. Closes: #315783
- Finnish updated. Closes: #315972
- Catalan updated. Closes: #316026
* Man pages translation updates:
- Remove the too outdated Korean translation of newgrp.1
which doesn't even mention sg
Closes: #261490
* Man pages correction for Debian specific issues:
- 402_usermod.8-system-users-range-286258:
Document the system user range from 0 to 999 in Debian
Closes: #286258
* Upstream bugs not fixed in upstream releases or CVS:
- 423_su_pass_args_without_concatenation
Thanks to Helmut Waitzmann.
Closes: #276419
* pass the argument to the shell or command without concatenation
before the call to exec.
* If no command is provided, the arguments after the username are for
the shell, no -c has to be appended.
- 008_su_ignore_SIGINT
* Also ignore SIGQUIT in su to avoid defeating the delay.
The gain in security is very minor.
Closes: #288827
- 424_pwck.8_quiet_option
pwck(8): document the -q option. Closes: #309408
- 425_lastlog_8_sparse
lastlog(8): Document that lastlog is a sparse file, and don't need to be
rotated. Closes: #219321
- 426_grpck_group-gshadow_members_consistency
* (grpck) warn for inconsistencies between members in /etc/group and gshadow
Closes: #75181
* (pwck and grpck) warn and propose a fix for entries present in the
regular /etc/group or /etc/passwd files and not in shadow/gshadow.
- 427_chage_expiry_0
Fix chage display in the case of null expiry fields (do not display
Never, but 01 Jan 1970)
Closes: #78961
* Upstream bugs already fixed in upstream releases or CVS:
- Corrected typos in chfn.1. Closes: #312428
- Corrected typos in gshadow.5. Closes: #312429
- Corrected typos in shadow.5. Closes: #312430
- Corrected typos in grpck.8. Closes: #312431
- Added patch (356th) for su to propagate SIGSTOP up and SIGCONT down.
Added similar patch (357th) for newgrp. Both changes only affect
operation with CLOSE_SESSION set to yes (in /etc/login.defs).
Closes: #314727
* Translation updates:
- debian/patches/010_more-i18ned-messages
- More messages are translatable. We will deal with the translation
updates after syncing with upstream.
Closes: #266281
- debian/patches/114_eu:
- Basque translation update. Closes: #314423
- debian/patches/132_vi.dpatch:
- Vietnamese translation update. Closes: #315840
Files:
2b951dfb5a5258b06dbf4cc9c1c10a9b 843 base required shadow_4.0.3-36.dsc
c282dd24f1a680566120ef684f5c0386 1405333 base required shadow_4.0.3-36.diff.gz
c3e579b2641ed0587fa4d8a2fb00e56c 504416 base required passwd_4.0.3-36_i386.deb
9608524e0d057f7cbe832b35bde32f2e 590616 base required login_4.0.3-36_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCyuJO1OXtrMAUPS0RAh8zAKCdD/46/ukzdT+o7jJwPZYJ/ZnP2QCeImF4
ZIx948C5htLynLJrbekYXn4=
=Mslh
-----END PGP SIGNATURE-----