Bug 12006 - updating /etc/shadow file with new file locks root password
Summary: updating /etc/shadow file with new file locks root password
Status: RESOLVED DUPLICATE of bug 14266
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: x86_64 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact:
URL:
Whiteboard:
Keywords:
: 12064 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-12-16 01:33 CET by Andrew S
Modified: 2015-03-23 08:28 CET (History)
5 users (show)

See Also:
Source RPM: rpmdrake
CVE:
Status comment:

Attachments
be verbose about ignored .rpmnew files (674 bytes, patch)
2013-12-30 03:11 CET, Thierry Vignaud 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Andrew S 2013-12-16 01:33:58 CET 
Description of problem:
Doing a standard prompted update, we have the option to inspect and change the /etc/shadow on new installations.
However, this locks out the root user from MCC and the console.

Version-Release number of selected component (if applicable):


How reproducible:
Accept changes to /etc/shadow on inspect file option

Steps to Reproduce:
1.
2.
3.
console work before and after updating
[andrew@localhost ~]$ su 
Password: 
[root@localhost andrew]# echo "now updating...."
now updating....
[root@localhost andrew]# cp /etc/shadow /etc/shadow.old
[root@localhost andrew]# exit
exit
[andrew@localhost ~]$ su
Password: 
su: Authentication failure
[andrew@localhost ~]$ ls /etc/shadow*
/etc/shadow  /etc/shadow-  /etc/shadow.lock  /etc/shadow.old
[andrew@localhost ~]$ ls /etc/shadow*
/etc/shadow  /etc/shadow-  /etc/shadow.lock  /etc/shadow.old
[andrew@localhost ~]$ cat /etc/shadow
root:*:16053:0:99999:7:::
bin:*:16053:0:99999:7:::
daemon:*:16053:0:99999:7:::
adm:*:16053:0:99999:7:::
lp:*:16053:0:99999:7:::
sync:*:16053:0:99999:7:::
mail:*:16053:0:99999:7:::
news:*:16053:0:99999:7:::
uucp:*:16053:0:99999:7:::
operator:*:16053:0:99999:7:::
games:*:16053:0:99999:7:::
nobody:*:16053:0:99999:7:::
[andrew@localhost ~]$ cat /etc/shadow.old
root:$2a$08$05JNKxRrpVyo.qjYPvkkW.sEnNXgY8LX7hq.fUkFRWdrJVSvrW5CK:16054:0:99999:7:::
bin:*:15850:0:99999:7:::
daemon:*:15850:0:99999:7:::
adm:*:15850:0:99999:7:::
lp:*:15850:0:99999:7:::
sync:*:15850:0:99999:7:::
mail:*:15850:0:99999:7:::
news:*:15850:0:99999:7:::
uucp:*:15850:0:99999:7:::
operator:*:15850:0:99999:7:::
games:*:15850:0:99999:7:::
nobody:*:15850:0:99999:7:::
messagebus:!:16054::::::
avahi:!:16054::::::
avahi-autoipd:!:16054::::::
polkitd:!:16054::::::
colord:!:16054::::::
usbmux:!:16054::::::
rpm:!:16054::::::
rtkit:!:16054::::::
vcsa:!:16054::::::
gdm:!:16054::::::
andrew:$2a$08$t4riv9wx4iI1hejuW4bH1eNn1GkuiJuTA15NlRxT8Xz/fX4C1b63m:16054:0:99999:7:::
mpd:!:16054::::::
lightdm:!:16054::::::
davfs2:!:16054::::::
[andrew@localhost ~]$ su
Password: 
su: Authentication failure
[andrew@localhost ~]$ cat /etc/shadow.lock
cat: /etc/shadow.lock: Permission denied
[andrew@localhost ~]$ cat /etc/shadow-
cat: /etc/shadow-: Permission denied
[andrew@localhost ~]$ 


Reproducible: 

Steps to Reproduce:
Comment 1 Thierry Vignaud 2013-12-16 10:35:15 CET 
You should have kept your own file!
Maybe rpmdrake should have a list of know files where a warning should be displayed

CC: (none) => mageia, pterjan, thierry.vignaud

Comment 2 Colin Guthrie 2013-12-16 10:39:24 CET 
Could we not create them as %ghost files instead? i.e. install the real files into /usr/share/setup/defaultetc/ and copy them over to /etc if the files are missing? That way they won't get updated thereafter but would still be "owned" by the package. WDYT?
Comment 3 Andrew S 2013-12-16 13:40:46 CET 
It's impossible to get back in once the /etc/shadow has been changed. Even rebooting the computer in safe mode took me to a maintenance screen, but my root password was no good, so it is imposible to fix without a live disk.
Comment 4 Colin Guthrie 2013-12-16 13:45:26 CET 
FYI: You can typically get in via init=/bin/bash on the kernel command line. The initrd should be responsible for mounting /usr if it's separate and thus this should give you enough to set the root and any user passwords again.
Manuel Hiebel 2013-12-30 02:46:44 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=12064

Comment 5 Thierry Vignaud 2013-12-30 02:55:59 CET 
*** Bug 12064 has been marked as a duplicate of this bug. ***

See Also: https://bugs.mageia.org/show_bug.cgi?id=12064 => (none)
CC: (none) => pf

Comment 6 Thierry Vignaud 2013-12-30 02:56:36 CET 
This should not happen as this file is in the list of files to ignore...

Source RPM: (none) => rpmdrake

Comment 7 Thierry Vignaud 2013-12-30 03:11:39 CET 
Created attachment 4682 [details]
be verbose about ignored .rpmnew files

And indeed with that patch, rpmdrake show it's ignoring those files:

Searching .rpmnew and .rpmsave files...
>> ignoring /etc/sysconfig/harddisks
>> ignoring /etc/adjtime
>> ignoring /etc/crypttab
>> ignoring /etc/modules
>> ignoring /etc/sysconfig/autofsck
>> ignoring /etc/sysconfig/init
>> ignoring /etc/ld.so.conf
>> ignoring /etc/fstab
>> ignoring /etc/group
>> ignoring /etc/gshadow
>> ignoring /etc/hosts
>> ignoring /etc/passwd
>> ignoring /etc/resolv.conf
>> ignoring /etc/shadow
>> ignoring /etc/shells
>> ignoring /etc/sudoers
>> ignoring /etc/sysconfig/saslauthd
>> ignoring /etc/sysconfig/harddrake2/previous_hw
>> ignoring /etc/sysconfig/alsa
>> ignoring /etc/security/fileshare.conf
>> ignoring /etc/sysconfig/installkernel
done.
Comment 8 Rémi Verschelde 2015-03-23 08:28:26 CET 
Dup of bug 14266 which is being fixed.

*** This bug has been marked as a duplicate of bug 14266 ***

Status: NEW => RESOLVED
CC: (none) => remi
Resolution: (none) => DUPLICATE
Note You need to log in before you can comment on or make changes to this bug.