[rsbac] UM can't set passwords - strange symptoms

Sven Seeland Sven.Seeland at gmx.de
Wed Jul 18 11:52:48 CEST 2007 

Hmm, I'm kindof in a bind here. First of all I must say that I'm no kernel expert I am in no way an experienced Linux Admin. I'm doing this as a hobby but I still want my server to be reasonably safe.
However, I'm relying on several features that are (as far as I know) exclusive to 2.6. Namely udev, lvm2 and alsa (and possibly more).

I'm also using Gentoo and it looks like it defaults to 2.6 now. You *can* make it run on 2.4, but it requires a good bit of work and system knowledge and I currently don't really feel up to the task.
Also, the server doubles as a media center. Not a good combination to put a hardened webserver and a media center on the same machine, I know, but I only have one computer at my disposal so it's gotta do both jobs. And I'm afraid that running either part of the server in a virtualized environment (e.g. on virtualbox) will hurt performance badly.

Any advice?

Interestingly, the password bug hasn't occurred on the new setup yet.

Anyways, I'll stay tuned for the update and hope it trickles down the Gentoo pipeline soon.

Greetings,
Sven


-------- Original-Nachricht --------
Datum: Wed, 18 Jul 2007 10:11:54 +0200
Von: Amon Ott <ao at rsbac.org>
An: RSBAC Discussion and Announcements <rsbac at rsbac.org>
Betreff: Re: [rsbac] UM can\'t set passwords - strange symptoms

> On Tuesday 17 July 2007 14:54, Sven Seeland wrote:
> > Thanks, everything works now. I guess I got spooked. On my last
> > isntall I was having all sorts of weird problems concerning RSBAC
> > UM, like not being able to set passwords, not being able to log in,
> > being able to log in regardless of the password entered, etc. And I
> > couldn't solve this by reverting back to standard unix shadow suite
> > user management. Which caused me to reinstall from scratch. It's
> > not a production machine and I'm still pretty new to this...
> 
> If you are using a 2.6 kernel with UM, you are strongly encouraged to 
> update to 1.3.5, which has been uploaded to download.rsbac.org 
> yesterday. We have fixed a nasty bug, which could cause any password 
> to be accepted on 2.6 kernels - like you noticed.
> 
> There is a reason why I recommend 2.4 on any server system: 2.6 
> internal APIs change with almost every release, so you can expect any 
> kind of bug. Needless to say that new APIs are hardly ever 
> documented. 2.6 is nothing I would call stable software, rather a 
> run-away hunt for features. One look at the rate of security fixes 
> for every 2.6 release tells the story.
> 
> This example has hit us here: crypto API interface has changed, but 
> third parameter of analogues function with similar name still has the 
> same type, but very different meaning. So we ended up hashing a 
> single byte of the salt instead of the whole salt + password string. 
> Sure any password matched, because the same salt was used for 
> compare.
> 
> We will make an official announcement after some more quality checks 
> on the release files.
> 
> Amon.
> -- 
> http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kanns mit allen: http://www.gmx.net/de/go/multimessenger

More information about the rsbac mailing list