Context Navigation

← Previous Ticket
Next Ticket →

#3019 closed enhancement (fixed)

Shadow-4.1.5

Reported by:	Matthew Burgess	Owned by:	Matthew Burgess
Priority:	normal	Milestone:	7.1
Component:	Book	Version:	SVN
Severity:	minor	Keywords:
Cc:

Description

New version. Release announcement at http://pkg-shadow.alioth.debian.org/releases/shadow-4.1.5.NEWS. Of particular note is that this release fixes CVE-2005-4890 (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2005-4890)

Change History (5)

comment:1 by Matthew Burgess, 12 years ago

Owner:	changed from lfs-book@… to Matthew Burgess
Status:	new → assigned

comment:2 by Matthew Burgess, 12 years ago

This hasn't broken the build, but it does produce a new, rather ugly, warning:

root:/# passwd
Changing password for root
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New password: 
Re-enter new password: 
passwd: nscd exited with status 1passwd: Failed to flush the nscd cache.
passwd: nscd exited with status 1passwd: Failed to flush the nscd cache.
passwd: nscd exited with status 1passwd: Failed to flush the nscd cache.
passwd: nscd exited with status 1passwd: Failed to flush the nscd cache.
passwd: password changed.

I'll investigate further this evening.

comment:3 by Matthew Burgess, 12 years ago

It looks like this was added at http://anonscm.debian.org/viewvc/pkg-shadow/upstream/trunk/lib/nscd.c?revision=3475&view=markup. The logic there looks nearly right :-) but fails in our case because we have nscd installed, but we never start it up. I'll report this upstream and see if they want to handle that case as well. Or, do we want to actually configure/start nscd on bootup?

follow-up: 5 comment:4 by bdubbs@…, 12 years ago

There seems to be two errors here. nscd will return an unconditional error if there is no /etc/nscd.conf file right at the beginning. If /etc/nscd.conf does exist, but the table does not, then nscd returns an error of EINVAL.

The new shadow routine does not differentiate between these errors.

Actually, I think the shadow routine should test if nscd is running and, if not, just return from the routine.

I tried running nscd and it failed because /var/run/nscd/ did not exist, but it runs after creating that directory.

The only thing that shadow really needs to do test /var/run/nscd/nscd.pid for existence at the beginning of the nscd_flush_cache function.

if ( access( "/var/run/nscd/nscd.pid", F_OK ) ) return 1;

Otherwise, it can do what it is doing.

Of course, we could just use --without-nscd, but that is less flexible. On the other hand, we build shadow now without auditing support, pam, acl, attr, or skey.

in reply to: 4 comment:5 by Matthew Burgess, 12 years ago

Resolution:	→ fixed
Severity:	normal → minor
Status:	assigned → closed

Replying to bdubbs@…:

Actually, I think the shadow routine should test if nscd is running and, if not, just return from the routine.

That's exactly what they did upstream. Fixed in r9745 with the upstream fix applied via a patch.

Note: See TracTickets for help on using tickets.

Download in other formats: