[Bug 1641213] Re: PAM blocks fixing `chsh`ing root to a nonexistent shell
Chai T. Rex
1641213 at bugs.launchpad.net
Fri Nov 11 20:06:08 UTC 2016
** Description changed:
Ubuntu release
==============
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Package version
===============
According to `apt-file search /etc/pam.d/chsh`, package `passwd` owns
that file.
passwd:
- Installed: 1:4.2-3.1ubuntu5
- Candidate: 1:4.2-3.1ubuntu5
- Version table:
- *** 1:4.2-3.1ubuntu5 500
- 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
- 100 /var/lib/dpkg/status
+ Installed: 1:4.2-3.1ubuntu5
+ Candidate: 1:4.2-3.1ubuntu5
+ Version table:
+ *** 1:4.2-3.1ubuntu5 500
+ 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+ 100 /var/lib/dpkg/status
What you expected to happen
===========================
The following should mess up root's default shell and then fix it to use
`bash`.
- sudo chsh -s /bin/nonexistent
- sudo chsh -s /bin/bash
+ sudo chsh -s /bin/nonexistent
+ sudo chsh -s /bin/bash
What happened instead
=====================
PAM blocks what should be a simple fix:
- $ sudo chsh -s /bin/noexistent
- chsh: Warning: /bin/noexistent does not exist
- $ sudo chsh -s /bin/bash
- Password:
- chsh: PAM: Authentication failure
+ $ sudo chsh -s /bin/nonexistent
+ chsh: Warning: /bin/nonexistent does not exist
+ $ sudo chsh -s /bin/bash
+ Password:
+ chsh: PAM: Authentication failure
Note especially that the password prompt above isn't the standard `sudo`
password prompt. `sudo` has already been recently given a password, so
it didn't ask again.
- $ SHELL=/bin/bash sudo --shell
- # chsh -s /bin/bash
- Password:
- chsh: PAM: Authentication failure
+ $ SHELL=/bin/bash sudo --shell
+ # chsh -s /bin/bash
+ Password:
+ chsh: PAM: Authentication failure
This happens even though the `root` account is disabled and thus has no
password. Even setting a password for `root` and using that password
doesn't work, so it's apparently not asking for the `root` password.
Workaround
==========
1. Edit `/etc/pam.d/chsh`
2. Comment out the line `auth required pam_shells.so`
3. Run `sudo chsh -s /bin/bash`
4. Edit `/etc/pam.d/chsh`
5. Uncomment the line `auth required pam_shells.so`
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: passwd 1:4.2-3.1ubuntu5
ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24
Uname: Linux 4.4.0-47-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Nov 11 14:42:57 2016
DistributionChannelDescriptor:
- # This is a distribution channel descriptor
- # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
- canonical-oem-somerville-xenial-amd64-20160624-2
+ # This is a distribution channel descriptor
+ # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
+ canonical-oem-somerville-xenial-amd64-20160624-2
EcryptfsInUse: Yes
InstallationDate: Installed on 2016-11-01 (10 days ago)
InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 20160624-10:47
SourcePackage: shadow
UpgradeStatus: No upgrade log present (probably fresh install)
** Description changed:
Ubuntu release
==============
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Package version
===============
According to `apt-file search /etc/pam.d/chsh`, package `passwd` owns
that file.
passwd:
Installed: 1:4.2-3.1ubuntu5
Candidate: 1:4.2-3.1ubuntu5
Version table:
*** 1:4.2-3.1ubuntu5 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
What you expected to happen
===========================
The following should mess up root's default shell and then fix it to use
- `bash`.
+ `bash`:
sudo chsh -s /bin/nonexistent
sudo chsh -s /bin/bash
What happened instead
=====================
PAM blocks what should be a simple fix:
- $ sudo chsh -s /bin/nonexistent
- chsh: Warning: /bin/nonexistent does not exist
+ $ sudo chsh -s /bin/noexistent
+ chsh: Warning: /bin/noexistent does not exist
$ sudo chsh -s /bin/bash
Password:
chsh: PAM: Authentication failure
Note especially that the password prompt above isn't the standard `sudo`
password prompt. `sudo` has already been recently given a password, so
it didn't ask again.
$ SHELL=/bin/bash sudo --shell
# chsh -s /bin/bash
Password:
chsh: PAM: Authentication failure
This happens even though the `root` account is disabled and thus has no
password. Even setting a password for `root` and using that password
doesn't work, so it's apparently not asking for the `root` password.
Workaround
==========
1. Edit `/etc/pam.d/chsh`
2. Comment out the line `auth required pam_shells.so`
3. Run `sudo chsh -s /bin/bash`
4. Edit `/etc/pam.d/chsh`
5. Uncomment the line `auth required pam_shells.so`
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: passwd 1:4.2-3.1ubuntu5
ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24
Uname: Linux 4.4.0-47-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Nov 11 14:42:57 2016
DistributionChannelDescriptor:
# This is a distribution channel descriptor
# For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
canonical-oem-somerville-xenial-amd64-20160624-2
EcryptfsInUse: Yes
InstallationDate: Installed on 2016-11-01 (10 days ago)
InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 20160624-10:47
SourcePackage: shadow
UpgradeStatus: No upgrade log present (probably fresh install)
** Description changed:
Ubuntu release
==============
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Package version
===============
According to `apt-file search /etc/pam.d/chsh`, package `passwd` owns
that file.
passwd:
Installed: 1:4.2-3.1ubuntu5
Candidate: 1:4.2-3.1ubuntu5
Version table:
*** 1:4.2-3.1ubuntu5 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
What you expected to happen
===========================
The following should mess up root's default shell and then fix it to use
`bash`:
sudo chsh -s /bin/nonexistent
sudo chsh -s /bin/bash
What happened instead
=====================
PAM blocks what should be a simple fix:
- $ sudo chsh -s /bin/noexistent
- chsh: Warning: /bin/noexistent does not exist
+ $ sudo chsh -s /bin/nonexistent
+ chsh: Warning: /bin/nonexistent does not exist
$ sudo chsh -s /bin/bash
Password:
chsh: PAM: Authentication failure
Note especially that the password prompt above isn't the standard `sudo`
password prompt. `sudo` has already been recently given a password, so
it didn't ask again.
$ SHELL=/bin/bash sudo --shell
# chsh -s /bin/bash
Password:
chsh: PAM: Authentication failure
This happens even though the `root` account is disabled and thus has no
password. Even setting a password for `root` and using that password
doesn't work, so it's apparently not asking for the `root` password.
Workaround
==========
1. Edit `/etc/pam.d/chsh`
2. Comment out the line `auth required pam_shells.so`
3. Run `sudo chsh -s /bin/bash`
4. Edit `/etc/pam.d/chsh`
5. Uncomment the line `auth required pam_shells.so`
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: passwd 1:4.2-3.1ubuntu5
ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24
Uname: Linux 4.4.0-47-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Nov 11 14:42:57 2016
DistributionChannelDescriptor:
# This is a distribution channel descriptor
# For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
canonical-oem-somerville-xenial-amd64-20160624-2
EcryptfsInUse: Yes
InstallationDate: Installed on 2016-11-01 (10 days ago)
InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 20160624-10:47
SourcePackage: shadow
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1641213
Title:
PAM blocks fixing `chsh`ing root to a nonexistent shell
Status in shadow package in Ubuntu:
New
Bug description:
Ubuntu release
==============
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Package version
===============
According to `apt-file search /etc/pam.d/chsh`, package `passwd` owns
that file.
passwd:
Installed: 1:4.2-3.1ubuntu5
Candidate: 1:4.2-3.1ubuntu5
Version table:
*** 1:4.2-3.1ubuntu5 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
What you expected to happen
===========================
The following should mess up root's default shell and then fix it to
use `bash`:
sudo chsh -s /bin/nonexistent
sudo chsh -s /bin/bash
What happened instead
=====================
PAM blocks what should be a simple fix:
$ sudo chsh -s /bin/nonexistent
chsh: Warning: /bin/nonexistent does not exist
$ sudo chsh -s /bin/bash
Password:
chsh: PAM: Authentication failure
Note especially that the password prompt above isn't the standard
`sudo` password prompt. `sudo` has already been recently given a
password, so it didn't ask again.
$ SHELL=/bin/bash sudo --shell
# chsh -s /bin/bash
Password:
chsh: PAM: Authentication failure
This happens even though the `root` account is disabled and thus has
no password. Even setting a password for `root` and using that
password doesn't work, so it's apparently not asking for the `root`
password.
Workaround
==========
1. Edit `/etc/pam.d/chsh`
2. Comment out the line `auth required pam_shells.so`
3. Run `sudo chsh -s /bin/bash`
4. Edit `/etc/pam.d/chsh`
5. Uncomment the line `auth required pam_shells.so`
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: passwd 1:4.2-3.1ubuntu5
ProcVersionSignature: Ubuntu 4.4.0-47.68-generic 4.4.24
Uname: Linux 4.4.0-47-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Nov 11 14:42:57 2016
DistributionChannelDescriptor:
# This is a distribution channel descriptor
# For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
canonical-oem-somerville-xenial-amd64-20160624-2
EcryptfsInUse: Yes
InstallationDate: Installed on 2016-11-01 (10 days ago)
InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 20160624-10:47
SourcePackage: shadow
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1641213/+subscriptions
More information about the foundations-bugs
mailing list