On Sat, Aug 09, 2003 at 01:08:01PM -0400, Matt Zimmerman wrote:
> On Sat, Aug 09, 2003 at 06:48:43PM +0200, Marc Haber wrote:
>
> > On Sat, 9 Aug 2003 12:29:44 -0400, Matt Zimmerman <mdz@debian.org>
> > wrote:
> > >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=186011
> >
> > I think that it is not a good idea to have that issue fixed this way
> > in all affected packages. It should be solved in a more global way.
> >
> > Please note that this is a bug against libpam-runtime, but the issue
> > exists with passwd and login as well.
>
> Hmm, I pasted the wrong bug. I was sure someone had filed a bug about
> the fact that these conffiles were being modified by scripts, but I can't
> seem to find it.
>
You probably meant 159487, which was tagged 'security' (and recently
closed):
"Currently 'passwd' debconf templates help users configure, upon
installation or when doing a dpkg-reconfigure, MD5 passwords. This is done
in this code snippet of the passwd config script:
if ! egrep -q "^password.*pam_(unix|ldap)\.so.*md5" $file ; then
sed 's/^\(password.*\)/\1md5/' < $file > $file.new
mv -f $file.new $file
fi
Leaving aside the fact that 'file' is /etc/pam.d/* (and this is tampering
other's configuration files and against policy) this change modifies:"
This mentions the "against policy" problem which #110228 files. BTW, the
code is still there in the latest passwd.config code (1:4.0.3-8), should
that bug be reopened? (it was closed because #97548 #110228 and #159487
were merged).
Regards
Javi
Attachment:
pgpKwMVtypM_R.pgp
Description: PGP signature