[Pkg-shadow-devel] Bug#628671: passwd: Ordinary users can't change their passwords.

Peter Chubb peter.chubb at nicta.com.au
Tue May 31 08:50:45 UTC 2011

Package: passwd
Version: 1:
Severity: normal

I'm running a server that has most users authenticate via LDAP and SSL, but
has a few local users with entries in /etc/shadow and /etc/passwd.

Thesse local users cannot change their passwords.  They see a message about Authentication token manipulation error

Running strace shows that passwd drops privilege and then cannot gain it again.
Strace output:
open(/etc/ldap/keys/cacert.pem", O_RDONLY) = 5
mmap(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4fdf5c000
getuid()                                = 8299
mlock(0x7fb4fdf5c000, 32768)            = 0
geteuid()                               = 0
setuid(8299)                            = 0
getuid()                                = 8299
geteuid()                               = 8299
setuid(0)                               = -1 EPERM (Operation not permitted)

open("/etc/.pwd.lock", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = -1 EACCES (Permission

/etc/pam.d/common-passwd contains just these two lines:
password      required pam_unix.so nullok obscure sha512
password        sufficient      pam_ldap.so

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages passwd depends on:
ii  debianutils                  3.4.4       Miscellaneous utilities specific t
ii  libc6                        2.13-2      Embedded GNU C Library: Shared lib
ii  libpam-modules               1.1.2-3     Pluggable Authentication Modules f
ii  libpam0g                     1.1.2-3     Pluggable Authentication Modules l
ii  libselinux1                  2.0.98-1+b1 SELinux runtime shared libraries

passwd recommends no packages.

passwd suggests no packages.

-- no debconf information

More information about the Pkg-shadow-devel mailing list