[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password problems

Douglas A. Tutty wrote:

On Sat, Feb 16, 2008 at 09:38:03PM -0500, Frank McCormick wrote:

On Sat, 16 Feb 2008 20:54:33 -0500
"Douglas A. Tutty" <dtutty@porchlight.ca> wrote:

On Sat, Feb 16, 2008 at 08:15:07PM -0500, Frank McCormick wrote:

On Sat, 16 Feb 2008 17:32:56 -0600
"Russell L. Harris" <rlharris@oplink.net> wrote:

* Frank McCormick <fmccormick@videotron.ca> [080216 17:21]:

I changed my password using passwd...and now some apps want the
old password...others want the new one!

For example when I do sudo aptitude update in a terminal sudo
will only accept the new password...however if I run
Synaptic...it will accept only the old password. What's going
on here and how can it be fixed ?

Perhaps synaptic is asking for the password of the normal user --
not the password of root -- in order to access the keyring?

  There is no root account on this box. It has always asked me for
my password as I am the first user. As I said this business didn't
start until a changed my password.

Unix dosen't work without a root account.

   Sorry, what I meant was I have not enabled root on this machine.

However, this sounds like a bug in Synaptic.  It should _not_ be
storing the previous password but only using a mechanism that will
hash what you type and compare it with the password database.

  But it's not just Synaptic as it turns out...any program that uses the
gtk? version of sudo (gtksudo?) wants the old password.


I purposly didn't trim anything here because I feel that this is very
important: (IMVHO)

If gtk apps are able to do things as root if you type in the old root
password but non-gtk apps will not work with the old root passwd but
will with the new root passwd, and if you can su (not sudo) to root
using the new root password but not the old root password, then gtk has
been storing the root password in some form.  I call that a breach plain
and simple.  It may be a design flaw that needs to be tracked down or it
could be that your particular box has been compromised.  Either way, I
would call the box compromised.
I wonder if gtk is indeed able to gain root privilege. For that to happen I thing all the following should be met (please correct me if I am wrong): 

1. gnome/gtk is running as root (I do not think that is the case)
2. gnome/gtk caches the password first time the user provides it, probably after comparing the hash with /etc/shadow. 3. Everytime something needs to be done as root, the user is prompted for a password and the supplied password is compared to the cached one before granting root privilege. 

I don't think something like this has been going on.
Unless gnome/gtk is running as root and does the job of hashing the password provided and comparing it with /etc/shadow, how can it *gain* root privilege once the password is changed? By supplying the old password, gnome/gtk may think the user has the required rights, but unless the underlying authentication mechanism (pam?) also does this sort of caching, the authentication should fail. 



I would find a temporary test box (any old box will do).  Install a gtk
system and test this out.  Use a gtk app that asks for the root
password, then change the root passwd with passwd (and not a gtk app)
and then see what the gtk app will accept.  If it will only accept the
old passwd then its a GTK design flaw.  If it will only accept the new
root passwd then your box has been compromised.
Just did that. I ran gdmsetup from the "System" menu on the gnome-panel. Provided root password and asked it to "Save it for this session". 
Closed gdmsetup and launched it again. No password asked.
Closed gdmsetup, changed root password from a terminal and relaunched the gdmsetup. No prompt for password, but got an error saying that the wrong password has been supplied. 



--
Raj Kiran Grandhi
--
At the source of every error which is blamed on the computer, you will find at least two human errors, including the error of blaming it on the computer.
Reply to: