headers
Jeremy C. Reed | 4 May 2007 20:28

changing root's password changes login user instead

On NetBSD, logging in as a non-root user and then "su" to root followed 
by "passwd" will reset the original logged in user's password.

I was using NetBSD 3.1. But I tested on a more recent -current also.

It is often suggested that to change root's password to use "passwd root".

It doesn't display the "Changing local password for ...". Can we re-add 
that? (Does this need to be done in PAM?)

It appears to use getlogin(2) while other implementations use getuid(3) 
and getpwuid(3).

It doesn't check if there is a login/uid mismatch. Can we add a check for 
that?

So the behaviour in this example of

	passwd # no arguments

is different between FreeBSD and NetBSD.

I am not sure if "passwd(1)" is even covered by Open Group's Single UNIX 
specification or POSIX. (Does anyone know?)

Any comments on the differences of behaviour?

Should we have it output what username is being changed?

If we don't fix this to abort on login/uid mismatch, we should add a
(Continue reading)

Permalink | Reply | 3 comments |
headers
Thor Lancelot Simon | 4 May 2007 20:54

Re: changing root's password changes login user instead

On Fri, May 04, 2007 at 01:28:55PM -0500, Jeremy C. Reed wrote:
>
> On NetBSD, logging in as a non-root user and then "su" to root followed 
> by "passwd" will reset the original logged in user's password.

Of course it does -- it you want the system to behave as if you logged
in as root, use 'su - root'.  Otherwise, you get root's uid with your own
login environment -- which is what Unix su has done for as long as I can
remember, anyway.  "Unix gives you enough rope."

I believe you can also change the behavior of passwd by changing the
value of the $USER or $LOGNAME environment variables.

Thor
Permalink | Reply | 1 comment |
headers
Jeremy C. Reed | 4 May 2007 23:31

Re: changing root's password changes login user instead

On Fri, 4 May 2007, Thor Lancelot Simon wrote:

> On Fri, May 04, 2007 at 01:28:55PM -0500, Jeremy C. Reed wrote:
> >
> > On NetBSD, logging in as a non-root user and then "su" to root followed 
> > by "passwd" will reset the original logged in user's password.
> 
> Of course it does -- it you want the system to behave as if you logged
> in as root, use 'su - root'.  Otherwise, you get root's uid with your own
> login environment -- which is what Unix su has done for as long as I can
> remember, anyway.  "Unix gives you enough rope."

I can't repeat that on my NetBSD systems. I tried on 3.1 and also 3.99.24.
I also tried "su -l root" (but - is -l).

Can anyone else please test this?

For example on NetBSD 3.1:

$ id
uid=1002(reed) gid=100(users) groups=100(users),0(wheel)
$ echo $USER $LOGNAME
reed reed
$ su -l root
Password: <-- typed in my long password
Terminal type is xterm.                                                 
c-0500# id
uid=0(root) gid=0(wheel) 
groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest)
c-0500# echo $USER $LOGNAME
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Carosone | 5 May 2007 01:12
Picon

Re: changing root's password changes login user instead

On Fri, May 04, 2007 at 01:28:55PM -0500, Jeremy C. Reed wrote:
> It doesn't display the "Changing local password for ...". Can we re-add 
> that? (Does this need to be done in PAM?)

Whatever else happens, we should do this at least.

--
Dan.
Permalink | Reply | 0 comments |
headers
John Nemeth | 5 May 2007 11:42
Picon
Favicon

Re: changing root's password changes login user instead

On Aug 20,  4:38am, "Jeremy C. Reed" wrote:
} On Fri, 4 May 2007, Thor Lancelot Simon wrote:
} > On Fri, May 04, 2007 at 01:28:55PM -0500, Jeremy C. Reed wrote:
} > >
} > > On NetBSD, logging in as a non-root user and then "su" to root followed 
} > > by "passwd" will reset the original logged in user's password.

     I've been admining UNIX systems for over 15 years on a variety of
OSes and as far as I can recall, this is how it has always worked.

} > Of course it does -- it you want the system to behave as if you logged
} > in as root, use 'su - root'.  Otherwise, you get root's uid with your own
} > login environment -- which is what Unix su has done for as long as I can
} > remember, anyway.  "Unix gives you enough rope."
} 
} I can't repeat that on my NetBSD systems. I tried on 3.1 and also 3.99.24.
} I also tried "su -l root" (but - is -l).
} 
} Can anyone else please test this?
} 
} For example on NetBSD 3.1:
} 
} $ id
} uid=1002(reed) gid=100(users) groups=100(users),0(wheel)
} $ echo $USER $LOGNAME
} reed reed
} $ su -l root
} Password: <-- typed in my long password
} Terminal type is xterm.                                                 
} c-0500# id
(Continue reading)

Permalink | Reply | 2 comments |
headers
Michael Piotrowski | 11 May 2007 10:37
X-Face
Picon

systrace and non-existent files

Hi,

This week my hard disk crashed and in the course of recovery I updated
from NetBSD 3.0.1 to 3.1.

I'm using systrace quite a lot (for running students' programming
assignments), and after the update I noticed that some interpreters are
now being killed by systrace and that for others lots of "deny" messages
are being logged--while it had worked fine before.  I quickly noticed
that this was related to the handling of non-existent filenames.  While
before rules like

  netbsd-fsread: filename match "/<non-existent filename>: *" then deny[enoent]

worked, they no longer match.

It seems that this is the same issue as described in PR 32360 ("recent
changes breaks systrace fswrite").  Browsing CVS, I found that this
problem was fixed in revision 1.36.2.2 of getcwd.c, but in revision
1.36.2.3, which is used in NetBSD 3.1, exactly this change was removed.

Being unable to handle non-existent filenames correctly severely limits
the usefulness of systrace for me.

Does anybody know whether this problem will be fixed in the next
release? Or are there any recommendations for what I could do?

Thanks and greetings

--

--
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jeremy C. Reed | 11 May 2007 23:20

Re: changing root's password changes login user instead

On Sat, 5 May 2007, John Nemeth wrote:

> } > > On NetBSD, logging in as a non-root user and then "su" to root followed 
> } > > by "passwd" will reset the original logged in user's password.
> 
>      I've been admining UNIX systems for over 15 years on a variety of
> OSes and as far as I can recall, this is how it has always worked.

Is the behaviour defined anywhere?

Because on FreeBSD and on Gentoo Linux it is different than NetBSD.

> Note that the passwd program uses getlogin() to determine who you are
> and passes that to getpwnam().

Yes. I just don't think it should use getlogin() -- especially since "su 
-l" only "simulates" login and doesn't setlogin().

> } Also what about the regression? Before PAM (I think), it used to display: 
> } "Changing local password for ..."
> 
>      Ignoring the nitpick that the password may not be local, I'll add
> this message.

Thanks for doing that!

  Jeremy C. Reed
Permalink | Reply | 1 comment |
headers
Bernd Ernesti | 13 May 2007 15:04
Picon

Re: /etc/services entries (was: CVS commit: src/etc)

[please reply only to tech-userlevel]

On Thu, May 10, 2007 at 11:06:00AM -0400, Christos Zoulas wrote:
> On May 10,  8:49am, netbsd <at> lists.veego.de (Bernd Ernesti) wrote:
> -- Subject: /etc/services entries (was: CVS commit: src/etc)
> 
> | I thought it was the consent that we would NOT add all the services over >1024
> | from this list.
> 
> I don't this is the case. 
> 
> | Now I would get the strange ports names instead of the port number for all
> | connections and wonder what service I now use and my machine.
> | 
> | This is now a 960KB file instead of the 13KB which it was before.
> 
> Bring it up to tech-userlevel. It is easy enough to change.

Ok, lets see:

1. Now a lot of random ports have a name and this makes using /etc/serices
   useless, because this implies to use '-n' or whatever flag to get
   something usefull out of netstat, ...
2. The penalty to lookup such a huge file seems not worth it
3. The size of /etc increased quiet a bit
4. bin/36313 or whatever else changed

I would like to see the default /etc/services be back to how it was and
make it optional to use a big one for people who really want it.
Where it would makes sense to update the ports <1024 with the IANA list.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Valeriy E. Ushakov | 13 May 2007 17:23
Picon

Re: /etc/services entries (was: CVS commit: src/etc)

On Sun, May 13, 2007 at 15:04:39 +0200, Bernd Ernesti wrote:

> 1. Now a lot of random ports have a name and this makes using /etc/serices
>    useless, because this implies to use '-n' or whatever flag to get
>    something usefull out of netstat, ...
> 2. The penalty to lookup such a huge file seems not worth it
> 3. The size of /etc increased quiet a bit
> 4. bin/36313 or whatever else changed

5. services_mkdb takes *ages* on a slower machine running off of nfs root.

SY, Uwe
--

-- 
uwe <at> stderr.spb.ru                       |       Zu Grunde kommen
http://snark.ptc.spbu.ru/~uwe/          |       Ist zu Grunde gehen
Permalink | Reply | 4 comments |
headers
lucio | 13 May 2007 16:03
Picon

Re: /etc/services entries (was: CVS commit: src/etc)

> I would like to see the default /etc/services be back to how it was and
> make it optional to use a big one for people who really want it.
> Where it would makes sense to update the ports <1024 with the IANA list.

Would it make any sense to make the assignments to ports above 1024
resolved only on request, something like an inverse "n" flag?

I appreciate the effort involved (I'll help with coding, if wanted),
but I also feel the pain...

++L
Permalink | Reply | 0 comments |

Gmane