From mboxrd@z Thu Jan 1 00:00:00 1970 From: "pelzflorian (Florian Pelz)" Subject: bug#35996: User account password got locked when booting old generation Date: Mon, 3 Jun 2019 08:03:01 +0200 Message-ID: <20190603060301.2nu2zqi5j3v3j5ki@pelzflorian.localdomain> References: <20190529204517.mqn5xrw23xib4i3u@pelzflorian.localdomain> <877ea6l1on.fsf@gnu.org> <20190601055238.jkhefpupavz7aipi@pelzflorian.localdomain> <20190601145834.f4wgm4oqmdyej7n5@pelzflorian.localdomain> <87r28dc7gw.fsf@gnu.org> <20190602070545.xp2pqlnzsthpjtbw@pelzflorian.localdomain> <87sgss9vj7.fsf@gnu.org> <20190602102122.bzapwt36vg32nmwq@pelzflorian.localdomain> <87o93g9dv5.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="doh3qc3z7qboymu7" Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([209.51.188.92]:42174) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hXg4i-0003dq-63 for bug-guix@gnu.org; Mon, 03 Jun 2019 02:04:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hXg4g-0007rH-PI for bug-guix@gnu.org; Mon, 03 Jun 2019 02:04:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:56123) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hXg4g-0007qt-Ka for bug-guix@gnu.org; Mon, 03 Jun 2019 02:04:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hXg4g-00065E-FH for bug-guix@gnu.org; Mon, 03 Jun 2019 02:04:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87o93g9dv5.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 35996@debbugs.gnu.org --doh3qc3z7qboymu7 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit After I booted to a Guix install USB, chrooted as described on the Arch wiki and started a Guix daemon, I could reconfigure as before. There was no need to fiddle with grub-install. After multiple reconfigures, it happened again, my /etc/shadow has ! again in the password field. My recently changed root password became empty as well, like 35902. I did not even run sudo concurrently. The password just got locked. The /etc from the “populating from /gnu/store/*-etc” messages has no significant differences either. On Sat, Jun 01, 2019 at 11:37:51PM +0200, Ludovic Courtès wrote: > "pelzflorian (Florian Pelz)" skribis: > > AccountsService appears to only be usable for reading /etc/shadow, not > > for writing it, contrary to what the Guix manual claims (??). > > That might be a bug. > AccountsService obviously can change passwords. No bug here. Sorry. I was confused. > > For writing passwords, gnome-control-center does not use > > AccountsService, it calls /usr/bin/passwd directly in its source code > > in panels/user-accounts/run-passwd.c. > > That’s definitely a bug to fix: it should invoke > /run/setuid-programs/passwd instead. > Find attached two patches that fix GNOME password changing. Both are required. Regards, Florian --doh3qc3z7qboymu7 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-Add-cracklib-s-password-dictionary-to-cracklib-s-def.patch" >From 1eb7699d5036062993a080393bfb4a46d2dc1bea Mon Sep 17 00:00:00 2001 From: Florian Pelz Date: Mon, 3 Jun 2019 07:19:20 +0200 Subject: [PATCH 1/2] =?UTF-8?q?Add=20cracklib=E2=80=99s=20password=20dicti?= =?UTF-8?q?onary=20to=20cracklib=E2=80=99s=20default=20output.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/password-utils.scm (cracklib): Use `make dict`. --- gnu/packages/password-utils.scm | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm index 2b844c9a1c..88f933e43e 100644 --- a/gnu/packages/password-utils.scm +++ b/gnu/packages/password-utils.scm @@ -310,6 +310,15 @@ and vice versa.") (sha256 (base32 "1rimpjsdnmw8f5b7k558cic41p2qy2n2yrlqp5vh7mp4162hk0py")))) (build-system gnu-build-system) + (arguments + `(#:phases + (modify-phases %standard-phases + (add-after 'install 'install-dict + (lambda* (#:key make-flags #:allow-other-keys) + (begin + (chmod (string-append "util/cracklib-format") #o755) + (apply invoke "make" "dict" make-flags) + #t)))))) (synopsis "Password checking library") (home-page "https://github.com/cracklib/cracklib") (description -- 2.21.0 --doh3qc3z7qboymu7 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0002-Make-gnome-control-center-find-passwd-binary.patch" >From c7c016adc34c591febd0d3630f32dbecdd20ad7c Mon Sep 17 00:00:00 2001 From: Florian Pelz Date: Sun, 2 Jun 2019 20:01:23 +0200 Subject: [PATCH 2/2] Make gnome-control-center find passwd binary. * gnu/packages/gnome.scm (gnome-control-center): Substitute correct path to passwd. --- gnu/packages/gnome.scm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 6a2a683f58..2917107d18 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -5879,6 +5879,9 @@ devices using the GNOME desktop.") (("\"nm-connection-editor") (string-append "\"" nm-applet "/bin/nm-connection-editor"))) + (substitute* '("panels/user-accounts/run-passwd.c") + (("/usr/bin/passwd") + "/run/setuid-programs/passwd")) #t)))))) (native-inputs `(("glib:bin" ,glib "bin") ; for glib-mkenums, etc. -- 2.21.0 --doh3qc3z7qboymu7--