FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-23-2008, 07:11 AM
Alexander Fortin
 
Default Cron jobs and root account locked on Lenny

A few days ago (due to a broken harddisk) I've installed Lenny from
scratch on my laptop.
I've copied pretty much every configuration from the old installation
(Etch) and everything seems good.

Well, everything but a couple of things: first of all, at install time
I chose "no root login" but only a user with sudo grants. So, the root
account is locked:

alieno@klingon:~$ sudo passwd -S root
root L 07/21/2008 0 99999 7 -1

Now, first difference I've noticed from the previous (Etch) install
is:

alieno@klingon:~$ sudo su -
Your account has expired; please contact your system administrator
su: User account has expired
(Ignored)
klingon:~#

Ok, not so annoying, but I'm not sure it's the right message:
shouldn't the account be locked and not expired?

Anyway, this leads to the second, more important issue: crond is not
running jobs owned by root. For example:

syslog:
Jul 22 20:17:01 klingon CRON[3060]: User account has expired

auth.log:
Jul 22 12:17:01 klingon CRON[3060]: pam_unix(cron:account): account
root has expired (account expired)

Of course, I could unlock root account, but I thought it was good
practice to avoid root login from tty/ssh etc, and I'm pretty sure
this configuration was working well under Etch. Could this be
considered as a bug? Should I report it?

Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-23-2008, 10:10 AM
Andrei Popescu
 
Default Cron jobs and root account locked on Lenny

On Wed,23.Jul.08, 00:11:35, Alexander Fortin wrote:

[locked root account troubles]

> Of course, I could unlock root account, but I thought it was good
> practice to avoid root login from tty/ssh etc, and I'm pretty sure
> this configuration was working well under Etch. Could this be
> considered as a bug? Should I report it?

I never understood what benefits this brings, the Ubuntu page explaining
it didn't convince me. Also, as far as I understand (from the very same
page) Ubuntu is patching some (many?) packages to make them work in this
configuration.

Of course, I may be completely wrong, in which case I'm sure somebody
will contradict me with arguments and references

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
 
Old 07-23-2008, 12:21 PM
Brian Marshall
 
Default Cron jobs and root account locked on Lenny

On Wed, 23 Jul 2008 13:10:26 +0300
Andrei Popescu <andreimpopescu@gmail.com> wrote:

> On Wed,23.Jul.08, 00:11:35, Alexander Fortin wrote:
>
> [locked root account troubles]
>
> > Of course, I could unlock root account, but I thought it was good
> > practice to avoid root login from tty/ssh etc, and I'm pretty sure
> > this configuration was working well under Etch. Could this be
> > considered as a bug? Should I report it?
>
> I never understood what benefits this brings, the Ubuntu page
> explaining it didn't convince me.

I agree. I think it's really more annoying than anything. You can still
use sudo if you want, but you also have the choice of using su (like,
say, when sudo is fubared or you can't log in to your user account...).

That said, I don't recommend allowing root login over ssh, but than can
be disabled with sshd.

--
Brian
 
Old 07-23-2008, 04:00 PM
Alexander Fortin
 
Default Cron jobs and root account locked on Lenny

On Jul 23, 2:30*pm, Brian Marshall <bm...@sdf.lonestar.org> wrote:
> That said, I don't recommend allowing root login over ssh, but than can
> be disabled with sshd.

I partially agree with the useless of the feauture, but Debian
installer is asking if you want to allow root login or not, so I'm
pretty sure I'm not the only one on Lenny with locked root account and
root cron jobs running, and I still think this could lead to
confusion, especially if you were used to lock root accunt under Etch.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-23-2008, 04:46 PM
Andrei Popescu
 
Default Cron jobs and root account locked on Lenny

On Wed,23.Jul.08, 09:00:22, Alexander Fortin wrote:
> On Jul 23, 2:30*pm, Brian Marshall <bm...@sdf.lonestar.org> wrote:
> > That said, I don't recommend allowing root login over ssh, but than can
> > be disabled with sshd.
>
> I partially agree with the useless of the feauture, but Debian
> installer is asking if you want to allow root login or not, so I'm

Only in expert mode

> pretty sure I'm not the only one on Lenny with locked root account and
> root cron jobs running, and I still think this could lead to
> confusion, especially if you were used to lock root accunt under Etch.

I'm not an expert, but a quick read through passwd(1) says account
expiry should be set to '1', while your 'passwd -S' shows '-1', just
like a normal account.

How about trying to lock it again?

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
 
Old 07-23-2008, 06:01 PM
Sven Joachim
 
Default Cron jobs and root account locked on Lenny

On 2008-07-23 18:46 +0200, Andrei Popescu wrote:

> I'm not an expert, but a quick read through passwd(1) says account
> expiry should be set to '1', while your 'passwd -S' shows '-1', just
> like a normal account.
>
> How about trying to lock it again?

I tried that here, and it did not help. Probably a bug in passwd or
pam. Didn't find anything in the BTS, but Ubuntu users see something
similar: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/238755

A comment in that bug suggests using "usermod --lock root" to lock the
root account, that does seem to work.

Sven


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-24-2008, 08:03 AM
Alexander Fortin
 
Default Cron jobs and root account locked on Lenny

On Jul 23, 6:50*pm, Andrei Popescu <andreimpope...@gmail.com> wrote:
> > I partially agree with the useless of the feauture, but Debian
> > installer is asking if you want to allow root login or not, so I'm
>
> Only in expert mode

Uhm... well.... I always find difficult to define what a (Debian)
expert need to know to be called so... Anyway, can you manually
partition disks with raid and lvm stuff when you are not in expert
mode? 'Cause actually it's the only "expert" thing I need to do at
install time

> I'm not an expert, but a quick read through passwd(1) says account
> expiry should be set to '1', while your 'passwd -S' shows '-1', just
> like a normal account.
>
> How about trying to lock it again?

Lock-unlock doesn't work

On Jul 23, 8:10 pm, Sven Joachim <svenj...@gmx.de> wrote:
> A comment in that bug suggests using "usermod --lock root" to lock the
> root account, that does seem to work.

Yep, using usermod instead of passwd seems to work fine!
So, to report a bug or not to? Which mailing list?

Alex


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-24-2008, 09:06 AM
Thilo Six
 
Default Cron jobs and root account locked on Lenny

Alexander Fortin wrote the following on 24.07.2008 10:03

</snip>

> Yep, using usermod instead of passwd seems to work fine!
> So, to report a bug or not to? Which mailing list?

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389183

> Alex


HTH
--
bye Thilo

key: 0x4A411E09


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-24-2008, 04:28 PM
Andrei Popescu
 
Default Cron jobs and root account locked on Lenny

On Thu,24.Jul.08, 11:06:47, Thilo Six wrote:
> Alexander Fortin wrote the following on 24.07.2008 10:03
>
> </snip>
>
> > Yep, using usermod instead of passwd seems to work fine!
> > So, to report a bug or not to? Which mailing list?
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389183

Interesting, the manpage passwd(1) says that 'passwd -l' should also set
account expiry to 1, but it doesn't. Either passwd or the manpage is
wrong, so I think this should be reported against the package passwd.

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
 
Old 07-24-2008, 04:43 PM
Ansgar Burchardt
 
Default Cron jobs and root account locked on Lenny

Hi,

Andrei Popescu <andreimpopescu@gmail.com> writes:

> Interesting, the manpage passwd(1) says that 'passwd -l' should also set
> account expiry to 1, but it doesn't. Either passwd or the manpage is
> wrong, so I think this should be reported against the package passwd.

It sets a value to "1" in my /etc/shadow when I last used it. I assume
that would be the expiry field?

I've got passwd 1:4.1.1-2 installed (from testing).

Regards,
Ansgar

--
PGP: 1024D/595FAD19 739E 2D09 0969 BEA9 9797 B055 DDB0 2FF7 595F AD19


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 09:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org