[Touch-packages] [Bug 1895757] [NEW] Terminal hangs running sudo when "use_pty" is set in /etc/sudoers

[Alejandro Santoyo Gonzalez]

Public bug reported:

An SSH terminal into an Ubuntu server (tested on 18.04.5) hangs running
a command using 'sudo' when 'use_pty' is set in /etc/sudoers.

Steps to reproduce ('sudo' version --> 1.8.21p2-3ubuntu1.2):

1) Log in into an Ubuntu server (tested on 18.04.5 using SSH)
2) Ensure that /etc/sudoers has the following line (add this line if not 
present)
Defaultsuse_pty
3) Execute the following:
for i in {1..10}; do sudo -- cat /var/log/syslog; done

The terminal hangs and the following backtrace is obtained:

(gdb) bt
#0  0x7f751d5c8cc4 in __GI___poll (fds=0x55d0159917b0, nfds=1, timeout=-1) 
at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x7f751d8b146a in poll (__timeout=, __nfds=, __fds=) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46
#2  sudo_ev_scan_impl (base=base@entry=0x55d015990dc0, flags=flags@entry=0) at 
../../../lib/util/event_poll.c:155
#3  0x7f751d8aa74d in sudo_ev_loop_v1 (base=base@entry=0x55d015990dc0, 
flags=flags@entry=0) at ../../../lib/util/event.c:617
#4  0x55d01570597a in del_io_events (nonblocking=nonblocking@entry=false) 
at ../../src/exec_pty.c:1537
#5  0x55d015707b97 in pty_close (cstat=0x7ffd074d6110) at 
../../src/exec_pty.c:697
#6  exec_pty (details=details@entry=0x55d01591e0e0 , 
cstat=cstat@entry=0x7ffd074d6110) at ../../src/exec_pty.c:1412
#7  0x55d015701178 in sudo_execute (details=0x55d01591e0e0 
, cstat=0x7ffd074d6110) at ../../src/exec.c:391
#8  0x55d01570e15b in run_command (details=0x55d01591e0e0 
) at ../../src/sudo.c:968
#9  0x55d0156ff9a0 in main (argc=, argv=, 
envp=) at ../../src/sudo.c:294

A similar (most likely the same) bug has been reported here
https://access.redhat.com/solutions/3404401.

** Affects: sudo (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1895757

Title:
  Terminal hangs running sudo when "use_pty" is set in /etc/sudoers

Status in sudo package in Ubuntu:
  New

Bug description:
  An SSH terminal into an Ubuntu server (tested on 18.04.5) hangs
  running a command using 'sudo' when 'use_pty' is set in /etc/sudoers.

  Steps to reproduce ('sudo' version --> 1.8.21p2-3ubuntu1.2):

  1) Log in into an Ubuntu server (tested on 18.04.5 using SSH)
  2) Ensure that /etc/sudoers has the following line (add this line if not 
present)
  Defaults  use_pty
  3) Execute the following:
  for i in {1..10}; do sudo -- cat /var/log/syslog; done

  The terminal hangs and the following backtrace is obtained:

  (gdb) bt
  #0  0x7f751d5c8cc4 in __GI___poll (fds=0x55d0159917b0, nfds=1, 
timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  #1  0x7f751d8b146a in poll (__timeout=, __nfds=, __fds=) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46
  #2  sudo_ev_scan_impl (base=base@entry=0x55d015990dc0, flags=flags@entry=0) 
at ../../../lib/util/event_poll.c:155
  #3  0x7f751d8aa74d in sudo_ev_loop_v1 (base=base@entry=0x55d015990dc0, 
flags=flags@entry=0) at ../../../lib/util/event.c:617
  #4  0x55d01570597a in del_io_events (nonblocking=nonblocking@entry=false) 
at ../../src/exec_pty.c:1537
  #5  0x55d015707b97 in pty_close (cstat=0x7ffd074d6110) at 
../../src/exec_pty.c:697
  #6  exec_pty (details=details@entry=0x55d01591e0e0 , 
cstat=cstat@entry=0x7ffd074d6110) at ../../src/exec_pty.c:1412
  #7  0x55d015701178 in sudo_execute (details=0x55d01591e0e0 
, cstat=0x7ffd074d6110) at ../../src/exec.c:391
  #8  0x55d01570e15b in run_command (details=0x55d01591e0e0 
) at ../../src/sudo.c:968
  #9  0x55d0156ff9a0 in main (argc=, argv=, 
envp=) at ../../src/sudo.c:294

  A similar (most likely the same) bug has been reported here
  https://access.redhat.com/solutions/3404401.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1895757/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1895757] Re: Terminal hangs running sudo when "use_pty" is set in /etc/sudoers

[Alejandro Santoyo Gonzalez]

** Description changed:

  An SSH terminal into an Ubuntu server (tested on 18.04.5) hangs running
  a command using 'sudo' when 'use_pty' is set in /etc/sudoers.
  
- Steps to reproduce:
+ Steps to reproduce ('sudo' version --> 1.8.21p2-3ubuntu1.2):
  
  1) Log in into an Ubuntu server (tested on 18.04.5 using SSH)
  2) Ensure that /etc/sudoers has the following line (add this line if not 
present)
  Defaults  use_pty
  3) Execute the following:
  for i in {1..10}; do sudo -- cat /var/log/syslog; done
  
  The terminal hangs and the following backtrace is obtained:
  
  (gdb) bt
  #0  0x7f751d5c8cc4 in __GI___poll (fds=0x55d0159917b0, nfds=1, 
timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  #1  0x7f751d8b146a in poll (__timeout=, __nfds=, __fds=) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46
  #2  sudo_ev_scan_impl (base=base@entry=0x55d015990dc0, flags=flags@entry=0) 
at ../../../lib/util/event_poll.c:155
  #3  0x7f751d8aa74d in sudo_ev_loop_v1 (base=base@entry=0x55d015990dc0, 
flags=flags@entry=0) at ../../../lib/util/event.c:617
  #4  0x55d01570597a in del_io_events (nonblocking=nonblocking@entry=false) 
at ../../src/exec_pty.c:1537
  #5  0x55d015707b97 in pty_close (cstat=0x7ffd074d6110) at 
../../src/exec_pty.c:697
  #6  exec_pty (details=details@entry=0x55d01591e0e0 , 
cstat=cstat@entry=0x7ffd074d6110) at ../../src/exec_pty.c:1412
  #7  0x55d015701178 in sudo_execute (details=0x55d01591e0e0 
, cstat=0x7ffd074d6110) at ../../src/exec.c:391
  #8  0x55d01570e15b in run_command (details=0x55d01591e0e0 
) at ../../src/sudo.c:968
  #9  0x55d0156ff9a0 in main (argc=, argv=, 
envp=) at ../../src/sudo.c:294
  
  A similar (most likely the same) bug has been reported here
  https://access.redhat.com/solutions/3404401.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1895757

Title:
  Terminal hangs running sudo when "use_pty" is set in /etc/sudoers

Status in sudo package in Ubuntu:
  New

Bug description:
  An SSH terminal into an Ubuntu server (tested on 18.04.5) hangs
  running a command using 'sudo' when 'use_pty' is set in /etc/sudoers.

  Steps to reproduce ('sudo' version --> 1.8.21p2-3ubuntu1.2):

  1) Log in into an Ubuntu server (tested on 18.04.5 using SSH)
  2) Ensure that /etc/sudoers has the following line (add this line if not 
present)
  Defaults  use_pty
  3) Execute the following:
  for i in {1..10}; do sudo -- cat /var/log/syslog; done

  The terminal hangs and the following backtrace is obtained:

  (gdb) bt
  #0  0x7f751d5c8cc4 in __GI___poll (fds=0x55d0159917b0, nfds=1, 
timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  #1  0x7f751d8b146a in poll (__timeout=, __nfds=, __fds=) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46
  #2  sudo_ev_scan_impl (base=base@entry=0x55d015990dc0, flags=flags@entry=0) 
at ../../../lib/util/event_poll.c:155
  #3  0x7f751d8aa74d in sudo_ev_loop_v1 (base=base@entry=0x55d015990dc0, 
flags=flags@entry=0) at ../../../lib/util/event.c:617
  #4  0x55d01570597a in del_io_events (nonblocking=nonblocking@entry=false) 
at ../../src/exec_pty.c:1537
  #5  0x55d015707b97 in pty_close (cstat=0x7ffd074d6110) at 
../../src/exec_pty.c:697
  #6  exec_pty (details=details@entry=0x55d01591e0e0 , 
cstat=cstat@entry=0x7ffd074d6110) at ../../src/exec_pty.c:1412
  #7  0x55d015701178 in sudo_execute (details=0x55d01591e0e0 
, cstat=0x7ffd074d6110) at ../../src/exec.c:391
  #8  0x55d01570e15b in run_command (details=0x55d01591e0e0 
) at ../../src/sudo.c:968
  #9  0x55d0156ff9a0 in main (argc=, argv=, 
envp=) at ../../src/sudo.c:294

  A similar (most likely the same) bug has been reported here
  https://access.redhat.com/solutions/3404401.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1895757/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1895757] Re: Terminal hangs running sudo when "use_pty" is set in /etc/sudoers

[Alejandro Santoyo Gonzalez]

** Description changed:

  An SSH terminal into an Ubuntu server (tested on 18.04.5) hangs running
  a command using 'sudo' when 'use_pty' is set in /etc/sudoers.
  
  Steps to reproduce ('sudo' version --> 1.8.21p2-3ubuntu1.2):
  
  1) Log in into an Ubuntu server (tested on 18.04.5 using SSH)
  2) Ensure that /etc/sudoers has the following line (add this line if not 
present)
  Defaults  use_pty
- 3) Execute the following:
+ 3) Execute the following (test 'sudo' command):
  for i in {1..10}; do sudo -- cat /var/log/syslog; done
  
  The terminal hangs and the following backtrace is obtained:
  
  (gdb) bt
  #0  0x7f751d5c8cc4 in __GI___poll (fds=0x55d0159917b0, nfds=1, 
timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  #1  0x7f751d8b146a in poll (__timeout=, __nfds=, __fds=) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46
  #2  sudo_ev_scan_impl (base=base@entry=0x55d015990dc0, flags=flags@entry=0) 
at ../../../lib/util/event_poll.c:155
  #3  0x7f751d8aa74d in sudo_ev_loop_v1 (base=base@entry=0x55d015990dc0, 
flags=flags@entry=0) at ../../../lib/util/event.c:617
  #4  0x55d01570597a in del_io_events (nonblocking=nonblocking@entry=false) 
at ../../src/exec_pty.c:1537
  #5  0x55d015707b97 in pty_close (cstat=0x7ffd074d6110) at 
../../src/exec_pty.c:697
  #6  exec_pty (details=details@entry=0x55d01591e0e0 , 
cstat=cstat@entry=0x7ffd074d6110) at ../../src/exec_pty.c:1412
  #7  0x55d015701178 in sudo_execute (details=0x55d01591e0e0 
, cstat=0x7ffd074d6110) at ../../src/exec.c:391
  #8  0x55d01570e15b in run_command (details=0x55d01591e0e0 
) at ../../src/sudo.c:968
  #9  0x55d0156ff9a0 in main (argc=, argv=, 
envp=) at ../../src/sudo.c:294
  
  A similar (most likely the same) bug has been reported here
  https://access.redhat.com/solutions/3404401.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1895757

Title:
  Terminal hangs running sudo when "use_pty" is set in /etc/sudoers

Status in sudo package in Ubuntu:
  New

Bug description:
  An SSH terminal into an Ubuntu server (tested on 18.04.5) hangs
  running a command using 'sudo' when 'use_pty' is set in /etc/sudoers.

  Steps to reproduce ('sudo' version --> 1.8.21p2-3ubuntu1.2):

  1) Log in into an Ubuntu server (tested on 18.04.5 using SSH)
  2) Ensure that /etc/sudoers has the following line (add this line if not 
present)
  Defaults  use_pty
  3) Execute the following (test 'sudo' command):
  for i in {1..10}; do sudo -- cat /var/log/syslog; done

  The terminal hangs and the following backtrace is obtained:

  (gdb) bt
  #0  0x7f751d5c8cc4 in __GI___poll (fds=0x55d0159917b0, nfds=1, 
timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  #1  0x7f751d8b146a in poll (__timeout=, __nfds=, __fds=) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46
  #2  sudo_ev_scan_impl (base=base@entry=0x55d015990dc0, flags=flags@entry=0) 
at ../../../lib/util/event_poll.c:155
  #3  0x7f751d8aa74d in sudo_ev_loop_v1 (base=base@entry=0x55d015990dc0, 
flags=flags@entry=0) at ../../../lib/util/event.c:617
  #4  0x55d01570597a in del_io_events (nonblocking=nonblocking@entry=false) 
at ../../src/exec_pty.c:1537
  #5  0x55d015707b97 in pty_close (cstat=0x7ffd074d6110) at 
../../src/exec_pty.c:697
  #6  exec_pty (details=details@entry=0x55d01591e0e0 , 
cstat=cstat@entry=0x7ffd074d6110) at ../../src/exec_pty.c:1412
  #7  0x55d015701178 in sudo_execute (details=0x55d01591e0e0 
, cstat=0x7ffd074d6110) at ../../src/exec.c:391
  #8  0x55d01570e15b in run_command (details=0x55d01591e0e0 
) at ../../src/sudo.c:968
  #9  0x55d0156ff9a0 in main (argc=, argv=, 
envp=) at ../../src/sudo.c:294

  A similar (most likely the same) bug has been reported here
  https://access.redhat.com/solutions/3404401.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1895757/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1895757] Re: Terminal hangs running sudo when "use_pty" is set in /etc/sudoers

[Alejandro Santoyo Gonzalez]

** Also affects: sudo (Ubuntu Bionic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1895757

Title:
  Terminal hangs running sudo when "use_pty" is set in /etc/sudoers

Status in sudo package in Ubuntu:
  New
Status in sudo source package in Bionic:
  New

Bug description:
  An SSH terminal into an Ubuntu server (tested on 18.04.5) hangs
  running a command using 'sudo' when 'use_pty' is set in /etc/sudoers.

  Steps to reproduce ('sudo' version --> 1.8.21p2-3ubuntu1.2):

  1) Log in into an Ubuntu server (tested on 18.04.5 using SSH)
  2) Ensure that /etc/sudoers has the following line (add this line if not 
present)
  Defaults  use_pty
  3) Execute the following (test 'sudo' command):
  for i in {1..10}; do sudo -- cat /var/log/syslog; done

  The terminal hangs and the following backtrace is obtained:

  (gdb) bt
  #0  0x7f751d5c8cc4 in __GI___poll (fds=0x55d0159917b0, nfds=1, 
timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
  #1  0x7f751d8b146a in poll (__timeout=, __nfds=, __fds=) at /usr/include/x86_64-linux-gnu/bits/poll2.h:46
  #2  sudo_ev_scan_impl (base=base@entry=0x55d015990dc0, flags=flags@entry=0) 
at ../../../lib/util/event_poll.c:155
  #3  0x7f751d8aa74d in sudo_ev_loop_v1 (base=base@entry=0x55d015990dc0, 
flags=flags@entry=0) at ../../../lib/util/event.c:617
  #4  0x55d01570597a in del_io_events (nonblocking=nonblocking@entry=false) 
at ../../src/exec_pty.c:1537
  #5  0x55d015707b97 in pty_close (cstat=0x7ffd074d6110) at 
../../src/exec_pty.c:697
  #6  exec_pty (details=details@entry=0x55d01591e0e0 , 
cstat=cstat@entry=0x7ffd074d6110) at ../../src/exec_pty.c:1412
  #7  0x55d015701178 in sudo_execute (details=0x55d01591e0e0 
, cstat=0x7ffd074d6110) at ../../src/exec.c:391
  #8  0x55d01570e15b in run_command (details=0x55d01591e0e0 
) at ../../src/sudo.c:968
  #9  0x55d0156ff9a0 in main (argc=, argv=, 
envp=) at ../../src/sudo.c:294

  A similar (most likely the same) bug has been reported here
  https://access.redhat.com/solutions/3404401.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1895757/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1964494] [NEW] Setting DuplicateAddressDetection=none doesn't disable DAD for link-local IPs

[Alejandro Santoyo Gonzalez]

Public bug reported:

A customer reported network disconnections on their storage 
servers when running 'netplan apply'. The culprit was that
they have link-local addresses configured and the Duplicate 
Address Detection (DAD) mechanism was delaying the interfaces 
from coming back up. 

As a workaround we tried to disable DAD for the interfaces 
but that's not working in Ubuntu 22.04:

I've noticed that setting DuplicateAddressDetection=none for an
interface with a link-local address (e.g., 169.254.*) via a 
.network file added to /etc/systemd/network/ doesn't really 
disable Duplicate Address Detection.

OS and package versions:

 - Description: Ubuntu Jammy Jellyfish (development branch). Release: 22.04
 - systemd 249.5-2ubuntu4

Reproducer:
---
1- Set up Ubuntu 22.04 VM
2- Increase systemlog level:

  mkdir -p /etc/systemd/system/systemd-networkd.service.d/
  cat > /etc/systemd/system/systemd-networkd.service.d/10-debug.conf  /etc/systemd/system/systemd-networkd.service.d/10-debug.conf 

[Touch-packages] [Bug 1964494] Re: Setting DuplicateAddressDetection=none doesn't disable DAD for link-local IPs

[Alejandro Santoyo Gonzalez]

I agree, a user-configured setting should be honored. Another thing to
consider is that according to the Jammy systemd.network man page, the 
default should be 'ipv6' so one would expect that to be a global 
default, but it gets overridden for link-local IPs due to this commit.  


[1] https://manpages.ubuntu.com/manpages/jammy/man5/systemd.network.5.html

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1964494

Title:
  Setting DuplicateAddressDetection=none doesn't disable DAD for link-
  local IPs

Status in systemd package in Ubuntu:
  New

Bug description:
  A customer reported network disconnections on their storage 
  servers when running 'netplan apply'. The culprit was that
  they have link-local addresses configured and the Duplicate 
  Address Detection (DAD) mechanism was delaying the interfaces 
  from coming back up. 

  As a workaround we tried to disable DAD for the interfaces 
  but that's not working in Ubuntu 22.04:

  I've noticed that setting DuplicateAddressDetection=none for an
  interface with a link-local address (e.g., 169.254.*) via a 
  .network file added to /etc/systemd/network/ doesn't really 
  disable Duplicate Address Detection.

  OS and package versions:
  
   - Description:   Ubuntu Jammy Jellyfish (development branch). Release: 
22.04
   - systemd 249.5-2ubuntu4

  Reproducer:
  ---
  1- Set up Ubuntu 22.04 VM
  2- Increase systemlog level:

mkdir -p /etc/systemd/system/systemd-networkd.service.d/
cat > /etc/systemd/system/systemd-networkd.service.d/10-debug.conf 

[Touch-packages] [Bug 1964494] Re: Setting DuplicateAddressDetection=none doesn't disable DAD for link-local IPs

[Alejandro Santoyo Gonzalez]

Tested 249.11-0ubuntu3.3 and DuplicateAddressDetection is now honored as
expected. No other issues were observed.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1964494

Title:
  Setting DuplicateAddressDetection=none doesn't disable DAD for link-
  local IPs

Status in systemd:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Jammy:
  Fix Committed
Status in systemd source package in Kinetic:
  Fix Released

Bug description:
  [impact]

  manual disabling of ipv4 DAD (IACD) for static link-local address does
  not work in jammy

  [test case]

  see 'Reproducer' in original description below

  [regression potential]

  failure to disable DAD, or incorrect disabling of DAD, or networkd
  issues around parsing of DAD config parsing

  [scope]

  this is needed for j and k

  introduced upstream by commit
  1cf4ed142d6c1e2b9dc6a0bc74b6a83ae30b0f8e, first included in v249, so
  this bug does not affect impish or earlier

  fixed upstream by commit 2859932bd64d61a89f85fa027762bc16961fcf53

  [original description]

  A customer reported network disconnections on their storage
  servers when running 'netplan apply'. The culprit was that
  they have link-local addresses configured and the Duplicate
  Address Detection (DAD) mechanism was delaying the interfaces
  from coming back up.

  As a workaround we tried to disable DAD for the interfaces
  but that's not working in Ubuntu 22.04:

  I've noticed that setting DuplicateAddressDetection=none for an
  interface with a link-local address (e.g., 169.254.*) via a
  .network file added to /etc/systemd/network/ doesn't really
  disable Duplicate Address Detection.

  OS and package versions:
  
   - Description:   Ubuntu Jammy Jellyfish (development branch). Release: 
22.04
   - systemd 249.5-2ubuntu4

  Reproducer:
  ---
  1- Set up Ubuntu 22.04 VM
  2- Increase systemlog level:

    mkdir -p /etc/systemd/system/systemd-networkd.service.d/
    cat > /etc/systemd/system/systemd-networkd.service.d/10-debug.conf 

[Touch-packages] [Bug 1989731] [NEW] Non-root user unable to change own password if pam_pwhistory is used

[Alejandro Santoyo Gonzalez]

Public bug reported:

When pam_pwhistory is in use non-root users are unable to change their
passwords. In fact, they are able to change it but the system spits out
an error even though the password was indeed changed.

Reproducer:
---

1. created an Ubuntu/Focal VM
2. added a user 'test'

sudo adduser test # used passwd '123'
su test

3. changed the password using 'passwd' logged in as the user 'test'

passwd test # used passwd '1qaz2wsx'

4. logged out from 'test' and executed

echo 'password required pam_pwhistory.so remember=5' | sudo tee -a
/etc/pam.d/common-password

5. tried again to follow step 3 as user 'test' but the following
happens:

passwd test # used passwd '3edc4rfv' (1)
Changing password for test.
Current password:
New password:
Retype new password:
Password has been already used. Choose another.
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged

However, I'm now able to log in as 'test' using the password in
(1) (the one that was supposedly not set up due to having been
already used) instead of the old one (the one that should be in
place since the change process returned an error).

6. if I comment out 'password required pam_pwhistory.so remember=5'
then I can log in as 'test' and change the password without issues

This behavior has been verified with the below package versioning:

ii  libpam-cap:amd641:2.32-1  amd64 
   POSIX 1003.1e capabilities (PAM module)
ii  libpam-modules:amd641.3.1-5ubuntu4.3  amd64 
   Pluggable Authentication Modules for PAM
ii  libpam-modules-bin  1.3.1-5ubuntu4.3  amd64 
   Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime  1.3.1-5ubuntu4.3  all   
   Runtime support for the PAM library
ii  libpam-systemd:amd64245.4-4ubuntu3.15 amd64 
   system and service manager - PAM module
ii  libpam0g:amd64  1.3.1-5ubuntu4.3  amd64 
   Pluggable Authentication Modules library

** Affects: pam (Ubuntu)
 Importance: Undecided
 Status: New

** Package changed: ubuntu => pam (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1989731

Title:
  Non-root user unable to change own password if pam_pwhistory is used

Status in pam package in Ubuntu:
  New

Bug description:
  When pam_pwhistory is in use non-root users are unable to change their
  passwords. In fact, they are able to change it but the system spits
  out an error even though the password was indeed changed.

  Reproducer:
  ---

  1. created an Ubuntu/Focal VM
  2. added a user 'test'

  sudo adduser test # used passwd '123'
  su test

  3. changed the password using 'passwd' logged in as the user 'test'

  passwd test # used passwd '1qaz2wsx'

  4. logged out from 'test' and executed

  echo 'password required pam_pwhistory.so remember=5' | sudo tee -a
  /etc/pam.d/common-password

  5. tried again to follow step 3 as user 'test' but the following
  happens:

  passwd test # used passwd '3edc4rfv' (1)
  Changing password for test.
  Current password:
  New password:
  Retype new password:
  Password has been already used. Choose another.
  passwd: Have exhausted maximum number of retries for service
  passwd: password unchanged

  However, I'm now able to log in as 'test' using the password in
  (1) (the one that was supposedly not set up due to having been
  already used) instead of the old one (the one that should be in
  place since the change process returned an error).

  6. if I comment out 'password required pam_pwhistory.so remember=5'
  then I can log in as 'test' and change the password without issues

  This behavior has been verified with the below package versioning:

  ii  libpam-cap:amd641:2.32-1  
amd64POSIX 1003.1e capabilities (PAM module)
  ii  libpam-modules:amd641.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules for PAM
  ii  libpam-modules-bin  1.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules for PAM - helper binaries
  ii  libpam-runtime  1.3.1-5ubuntu4.3  all 
 Runtime support for the PAM library
  ii  libpam-systemd:amd64245.4-4ubuntu3.15 
amd64system and service manager - PAM module
  ii  libpam0g:amd64  1.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules library

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1989731/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : 

[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used

[Alejandro Santoyo Gonzalez]

** Also affects: ubuntu-security-certifications
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1989731

Title:
  Non-root user unable to change own password if pam_pwhistory is used

Status in Ubuntu Security Certifications:
  New
Status in pam package in Ubuntu:
  New

Bug description:
  When pam_pwhistory is in use non-root users are unable to change their
  passwords. In fact, they are able to change it but the system spits
  out an error even though the password was indeed changed.

  Reproducer:
  ---

  1. created an Ubuntu/Focal VM
  2. added a user 'test'

  sudo adduser test # used passwd '123'
  su test

  3. changed the password using 'passwd' logged in as the user 'test'

  passwd test # used passwd '1qaz2wsx'

  4. logged out from 'test' and executed

  echo 'password required pam_pwhistory.so remember=5' | sudo tee -a
  /etc/pam.d/common-password

  5. tried again to follow step 3 as user 'test' but the following
  happens:

  passwd test # used passwd '3edc4rfv' (1)
  Changing password for test.
  Current password:
  New password:
  Retype new password:
  Password has been already used. Choose another.
  passwd: Have exhausted maximum number of retries for service
  passwd: password unchanged

  However, I'm now able to log in as 'test' using the password in
  (1) (the one that was supposedly not set up due to having been
  already used) instead of the old one (the one that should be in
  place since the change process returned an error).

  6. if I comment out 'password required pam_pwhistory.so remember=5'
  then I can log in as 'test' and change the password without issues

  This behavior has been verified with the below package versioning:

  ii  libpam-cap:amd641:2.32-1  
amd64POSIX 1003.1e capabilities (PAM module)
  ii  libpam-modules:amd641.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules for PAM
  ii  libpam-modules-bin  1.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules for PAM - helper binaries
  ii  libpam-runtime  1.3.1-5ubuntu4.3  all 
 Runtime support for the PAM library
  ii  libpam-systemd:amd64245.4-4ubuntu3.15 
amd64system and service manager - PAM module
  ii  libpam0g:amd64  1.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules library

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-security-certifications/+bug/1989731/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used

[Alejandro Santoyo Gonzalez]

It seems like if the line:

'password required pam_pwhistory.so remember=5'

is added before the pam_unix line in /etc/pam.d/common-password
everything works as expected because the new password now won't match the "old" 
password that was already in the shadow file (which is what happens if 
pam_pwhistory line is set after pam_unix). 

The problem is that the CIS tooling for Ubuntu seems to be adding this line at 
the end of the file
hence causing the issue. Do we need to modify this bug in any way to ensure the 
CIS implementation is amended/fixed as needed?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1989731

Title:
  Non-root user unable to change own password if pam_pwhistory is used

Status in Ubuntu Security Guide:
  In Progress
Status in pam package in Ubuntu:
  New

Bug description:
  When pam_pwhistory is in use non-root users are unable to change their
  passwords. In fact, they are able to change it but the system spits
  out an error even though the password was indeed changed.

  Reproducer:
  ---

  1. created an Ubuntu/Focal VM
  2. added a user 'test'

  sudo adduser test # used passwd '123'
  su test

  3. changed the password using 'passwd' logged in as the user 'test'

  passwd test # used passwd '1qaz2wsx'

  4. logged out from 'test' and executed

  echo 'password required pam_pwhistory.so remember=5' | sudo tee -a
  /etc/pam.d/common-password

  5. tried again to follow step 3 as user 'test' but the following
  happens:

  passwd test # used passwd '3edc4rfv' (1)
  Changing password for test.
  Current password:
  New password:
  Retype new password:
  Password has been already used. Choose another.
  passwd: Have exhausted maximum number of retries for service
  passwd: password unchanged

  However, I'm now able to log in as 'test' using the password in
  (1) (the one that was supposedly not set up due to having been
  already used) instead of the old one (the one that should be in
  place since the change process returned an error).

  6. if I comment out 'password required pam_pwhistory.so remember=5'
  then I can log in as 'test' and change the password without issues

  This behavior has been verified with the below package versioning:

  ii  libpam-cap:amd641:2.32-1  
amd64POSIX 1003.1e capabilities (PAM module)
  ii  libpam-modules:amd641.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules for PAM
  ii  libpam-modules-bin  1.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules for PAM - helper binaries
  ii  libpam-runtime  1.3.1-5ubuntu4.3  all 
 Runtime support for the PAM library
  ii  libpam-systemd:amd64245.4-4ubuntu3.15 
amd64system and service manager - PAM module
  ii  libpam0g:amd64  1.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules library

To manage notifications about this bug go to:
https://bugs.launchpad.net/usg/+bug/1989731/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used

[Alejandro Santoyo Gonzalez]

The CIS recommendations containing the fix for this issue have been
already released [1][2].

The next step would be to fix the CIS/USG tooling so that it follows the
new guidelines.

[1] https://workbench.cisecurity.org/benchmarks/11909
[2] https://workbench.cisecurity.org/sections/1668741/recommendations/2682696

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1989731

Title:
  Non-root user unable to change own password if pam_pwhistory is used

Status in Ubuntu Security Guide:
  In Progress
Status in pam package in Ubuntu:
  New

Bug description:
  When pam_pwhistory is in use non-root users are unable to change their
  passwords. In fact, they are able to change it but the system spits
  out an error even though the password was indeed changed.

  Reproducer:
  ---

  1. created an Ubuntu/Focal VM
  2. added a user 'test'

  sudo adduser test # used passwd '123'
  su test

  3. changed the password using 'passwd' logged in as the user 'test'

  passwd test # used passwd '1qaz2wsx'

  4. logged out from 'test' and executed

  echo 'password required pam_pwhistory.so remember=5' | sudo tee -a
  /etc/pam.d/common-password

  5. tried again to follow step 3 as user 'test' but the following
  happens:

  passwd test # used passwd '3edc4rfv' (1)
  Changing password for test.
  Current password:
  New password:
  Retype new password:
  Password has been already used. Choose another.
  passwd: Have exhausted maximum number of retries for service
  passwd: password unchanged

  However, I'm now able to log in as 'test' using the password in
  (1) (the one that was supposedly not set up due to having been
  already used) instead of the old one (the one that should be in
  place since the change process returned an error).

  6. if I comment out 'password required pam_pwhistory.so remember=5'
  then I can log in as 'test' and change the password without issues

  This behavior has been verified with the below package versioning:

  ii  libpam-cap:amd641:2.32-1  
amd64POSIX 1003.1e capabilities (PAM module)
  ii  libpam-modules:amd641.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules for PAM
  ii  libpam-modules-bin  1.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules for PAM - helper binaries
  ii  libpam-runtime  1.3.1-5ubuntu4.3  all 
 Runtime support for the PAM library
  ii  libpam-systemd:amd64245.4-4ubuntu3.15 
amd64system and service manager - PAM module
  ii  libpam0g:amd64  1.3.1-5ubuntu4.3  
amd64Pluggable Authentication Modules library

To manage notifications about this bug go to:
https://bugs.launchpad.net/usg/+bug/1989731/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp