[rsbac] UM can't set passwords - strange symptoms

[Amon Ott]

On Tuesday 17 July 2007 14:54, Sven Seeland wrote:
> Thanks, everything works now. I guess I got spooked. On my last
> isntall I was having all sorts of weird problems concerning RSBAC
> UM, like not being able to set passwords, not being able to log in,
> being able to log in regardless of the password entered, etc. And I
> couldn't solve this by reverting back to standard unix shadow suite
> user management. Which caused me to reinstall from scratch. It's
> not a production machine and I'm still pretty new to this...

If you are using a 2.6 kernel with UM, you are strongly encouraged to 
update to 1.3.5, which has been uploaded to download.rsbac.org 
yesterday. We have fixed a nasty bug, which could cause any password 
to be accepted on 2.6 kernels - like you noticed.

There is a reason why I recommend 2.4 on any server system: 2.6 
internal APIs change with almost every release, so you can expect any 
kind of bug. Needless to say that new APIs are hardly ever 
documented. 2.6 is nothing I would call stable software, rather a 
run-away hunt for features. One look at the rate of security fixes 
for every 2.6 release tells the story.

This example has hit us here: crypto API interface has changed, but 
third parameter of analogues function with similar name still has the 
same type, but very different meaning. So we ended up hashing a 
single byte of the salt instead of the whole salt + password string. 
Sure any password matched, because the same salt was used for 
compare.

We will make an official announcement after some more quality checks 
on the release files.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22