From a fresh cauldron install.log: grep: /etc/ssh/denyusers: No such file or directory xguest-1.0.10-1.mga2.noarch The result was that after installation, /etc/ssh/denyusers was empty, which might be a serious security risk. (and please make guest account activation during installation opt-in instead of opt-out. I do not know of any other OS enabling a guest user by default.)
Hi, thanks for reporting this bug. As there is no maintainer for this package I added the committers in CC. /etc/ssh/denyusers is in openssh-server see http://svnweb.mageia.org/packages?view=revision&revision=188774 (Please set the status to 'assigned' if you are working on it)
CC: (none) => ennael1, mageia
CC: (none) => remco
Assignee: bugsquad => remco
Status: NEW => ASSIGNED
I don't understand why you want "xguest" to create "/etc/ssh/denyusers" if not available (so "openssh" not installed). If you install openssh next, your "/etc/ssh/denyusers" file will be renamed "/etc/ssh/denyusers.rpmsave" so won't be used... I made the modification but not commited for now. Why not adding this in "openssh" as "/etc/ssh/denyusers" is created by this pakage?
Status: ASSIGNED => NEW
Damien, Attached my proposal for fixing this issue (I had assigned it to myself before I saw you are listed as the xguest maintainer now). Your thoughts on it are appreciated as it's been suggested that using file triggers for this might be suboptimal. I personally think the attached patch is a good way to deal with this and to prevent us from leaving the backdoor wide open by accident. I also note that the issue is present in 1, but the attached patch has only been tested by me on Cauldron.
Keywords: (none) => SecurityVersion: Cauldron => 1
Created attachment 1659 [details] Proposed work around to ensure we always end up with xguest in denyusers file when installed
Blocks: (none) => 4650
Priority: Normal => release_blocker
That would work but wouldn't it be simpler to add it as a package trigger?
CC: (none) => pterjan
pterjan: You are probably right... and am happy to redo the patch I worked on if you can provide me with a pointer to the concept. I did find and use https://wiki.mageia.org/en/RPM_filetriggers while working on the proposed patch, but couldn't find a page on package triggers.
http://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/ch10s02.html http://rpm.org/api/4.4.2.2/triggers.html It would give something like: %triggerin -- openssh-server if ! grep -q xguest /etc/ssh/denyusers; then echo xguest >> /etc/ssh/denyusers fi
@pterjan: Thank you very kindly for your help with this. @pterjan/coincoin: Can you please review the change in cauldron SVN and if in agreement, submit it?
Just submited.
CC: (none) => guillomovitch
Is this bug also valid for cauldron ?
A fix has been pushed to cauldron more than a month ago, without feedback. And it's definitively not a critical issue.
Priority: release_blocker => NormalSeverity: major => normal
Please look at the bottom of this mail to see whether you're the assignee of this bug, if you don't already know whether you are. If you're the assignee: We'd like to know for sure whether this bug was assigned correctly. Please change status to ASSIGNED if it is, or put OK on the whiteboard instead. If you don't have a clue and don't see a way to find out, then please put NEEDHELP on the whiteboard. Please assign back to Bug Squad or to the correct person to solve this bug if we were wrong to assign it to you, and explain why. Thanks :) **************************** @ the reporter and persons in the cc of this bug: If you have any new information that wasn't given before (like this bug being valid for another version of Mageia, too, or it being solved) please tell us. @ the reporter of this bug If you didn't reply yet to a request for more information, please do so within two weeks from now. Thanks all :-D
Fixed in mga2. There won't be a backport for mga1 (mga1 users should upgrade to mga2)
Status: ASSIGNED => RESOLVEDCC: (none) => thierry.vignaudResolution: (none) => FIXED