bug#35996: User account password got locked when booting old generation

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 35996@debbugs.gnu.org
Subject: bug#35996: User account password got locked when booting old generation
Date: Mon, 3 Jun 2019 08:03:01 +0200	[thread overview]
Message-ID: <20190603060301.2nu2zqi5j3v3j5ki@pelzflorian.localdomain> (raw)
In-Reply-To: <87o93g9dv5.fsf@gnu.org>

[-- Attachment #1: Type: text/plain, Size: 1297 bytes --]

After I booted to a Guix install USB, chrooted as described on the
Arch wiki and started a Guix daemon, I could reconfigure as before.
There was no need to fiddle with grub-install.

After multiple reconfigures, it happened again, my /etc/shadow has !
again in the password field.  My recently changed root password became
empty as well, like 35902.  I did not even run sudo concurrently.  The
password just got locked.

The /etc from the “populating from /gnu/store/*-etc” messages has no
significant differences either.



On Sat, Jun 01, 2019 at 11:37:51PM +0200, Ludovic Courtès wrote:
> "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
> > AccountsService appears to only be usable for reading /etc/shadow, not
> > for writing it, contrary to what the Guix manual claims (??). 
> 
> That might be a bug.
> 

AccountsService obviously can change passwords.  No bug here.  Sorry.
I was confused.


> > For writing passwords, gnome-control-center does not use
> > AccountsService, it calls /usr/bin/passwd directly in its source code
> > in panels/user-accounts/run-passwd.c.
> 
> That’s definitely a bug to fix: it should invoke
> /run/setuid-programs/passwd instead.
>

Find attached two patches that fix GNOME password changing.  Both are
required.

Regards,
Florian

[-- Attachment #2: 0001-Add-cracklib-s-password-dictionary-to-cracklib-s-def.patch --]
[-- Type: text/plain, Size: 1373 bytes --]

From 1eb7699d5036062993a080393bfb4a46d2dc1bea Mon Sep 17 00:00:00 2001
From: Florian Pelz <pelzflorian@pelzflorian.de>
Date: Mon, 3 Jun 2019 07:19:20 +0200
Subject: [PATCH 1/2] =?UTF-8?q?Add=20cracklib=E2=80=99s=20password=20dicti?=
 =?UTF-8?q?onary=20to=20cracklib=E2=80=99s=20default=20output.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* gnu/packages/password-utils.scm (cracklib): Use `make dict`.
---
 gnu/packages/password-utils.scm | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index 2b844c9a1c..88f933e43e 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -310,6 +310,15 @@ and vice versa.")
        (sha256
         (base32 "1rimpjsdnmw8f5b7k558cic41p2qy2n2yrlqp5vh7mp4162hk0py"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'install 'install-dict
+           (lambda* (#:key make-flags #:allow-other-keys)
+             (begin
+               (chmod (string-append "util/cracklib-format") #o755)
+               (apply invoke "make" "dict" make-flags)
+               #t))))))
     (synopsis "Password checking library")
     (home-page "https://github.com/cracklib/cracklib")
     (description
-- 
2.21.0


[-- Attachment #3: 0002-Make-gnome-control-center-find-passwd-binary.patch --]
[-- Type: text/plain, Size: 1025 bytes --]

From c7c016adc34c591febd0d3630f32dbecdd20ad7c Mon Sep 17 00:00:00 2001
From: Florian Pelz <pelzflorian@pelzflorian.de>
Date: Sun, 2 Jun 2019 20:01:23 +0200
Subject: [PATCH 2/2] Make gnome-control-center find passwd binary.

* gnu/packages/gnome.scm (gnome-control-center): Substitute correct path to
  passwd.
---
 gnu/packages/gnome.scm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 6a2a683f58..2917107d18 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -5879,6 +5879,9 @@ devices using the GNOME desktop.")
                  (("\"nm-connection-editor")
                   (string-append "\"" nm-applet
                                  "/bin/nm-connection-editor")))
+               (substitute* '("panels/user-accounts/run-passwd.c")
+                 (("/usr/bin/passwd")
+                  "/run/setuid-programs/passwd"))
                #t))))))
     (native-inputs
      `(("glib:bin" ,glib "bin") ; for glib-mkenums, etc.
-- 
2.21.0

next prev parent reply	other threads:[~2019-06-03  6:04 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-29 20:45 bug#35996: User account password got locked when booting old generation pelzflorian (Florian Pelz)
2019-05-31 22:05 ` Ludovic Courtès
2019-06-01  5:52   ` pelzflorian (Florian Pelz)
2019-06-01 14:58     ` pelzflorian (Florian Pelz)
2019-06-01 21:37       ` Ludovic Courtès
2019-06-02  7:05         ` pelzflorian (Florian Pelz)
2019-06-02  9:38           ` Ludovic Courtès
2019-06-02 10:21             ` pelzflorian (Florian Pelz)
2019-06-02 16:00               ` Ludovic Courtès
2019-06-03  6:03                 ` pelzflorian (Florian Pelz) [this message]
2019-06-03  6:14                   ` Gábor Boskovits
2019-06-03  7:18                   ` pelzflorian (Florian Pelz)
2019-06-03 15:22                     ` Ludovic Courtès
2019-06-03 17:07                       ` pelzflorian (Florian Pelz)
2019-06-03 13:22                   ` Ludovic Courtès
2019-06-03 14:52                     ` pelzflorian (Florian Pelz)
2019-06-04  9:22                       ` Ludovic Courtès
2019-06-04 12:17                         ` pelzflorian (Florian Pelz)
2019-06-04 14:12                           ` pelzflorian (Florian Pelz)
2019-06-04 17:17                             ` pelzflorian (Florian Pelz)
2019-06-04 21:21                               ` Ludovic Courtès
2019-06-05  6:16                                 ` pelzflorian (Florian Pelz)
2019-06-05  9:54                                   ` Ludovic Courtès
2019-06-05 11:06                                     ` pelzflorian (Florian Pelz)
2019-06-05 21:13                                       ` Ludovic Courtès
2019-06-06  7:01                                         ` pelzflorian (Florian Pelz)
2019-06-06  8:04                                           ` Ludovic Courtès
2019-06-03 16:01                     ` Danny Milosavljevic

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2b844c9a1 dfblob:88f933e43 dfblob:6a2a683f5 dfblob:2917107d1 )
 OR (
bs:"Make gnome-control-center find passwd binary." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190603060301.2nu2zqi5j3v3j5ki@pelzflorian.localdomain \
    --to=pelzflorian@pelzflorian.de \
    --cc=35996@debbugs.gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.