Public bug reported:
Binary package hint: liboobs-1-4
1) Release: lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04
2) version of package: apt-cache policy liboobs-1-4 gnome-system-tools
liboobs-1-4:
Installed: 2.22.0-0ubuntu1
Candidate: 2.22.0-0ubuntu1
Version table:
*** 2.22.0-0ubuntu1 0
500 http://fr.archive.ubuntu.com hardy/main Packages
100 /var/lib/dpkg/status
gnome-system-tools:
Installed: 2.22.0-0ubuntu9
Candidate: 2.22.0-0ubuntu9
Version table:
*** 2.22.0-0ubuntu9 0
500 http://fr.archive.ubuntu.com hardy/main Packages
100 /var/lib/dpkg/status
3) Expectations:
users-admin should be able to add/delete/modify user account
setting even if a user happen to have an empty password
4) What happens:
a) add user, remove the password: you probably have to edit manually
/etc/shadow for this
b) at this point, managing groups with users-admin still work but
anything related to user account management (adding a user, deleting a
user changing properties for a user does not work any more
c) what is very frustrating is that there is absolutely no visual
feedback of this error condition. When adding a new user a new line
shows up in the interface as in normal case. But /etc/passwd /etc/shadow
... are NOT modified
d) the following shows up on stderr:
----------------------------------------------------------------------
(users-admin:11895): Liboobs-CRITICAL **: create_dbus_struct_from_user:
assertion `(login && password && homedir && shell)' failed
(users-admin:11895): Liboobs-CRITICAL **: Not committing due to inconsistencies
in the configuration, this reflects a bug in the application
----------------------------------------------------------------------
5) Proposed fix
Quick fix is to relax the assert in oobs-usersconfig.c
>> g_return_val_if_fail ((login && password && homedir && shell), FALSE);
I guess. it would be much cleaner to intervene in the protocol used by
the users-admin frontend to talk to back-ends. There should be a
way to say that a data must exist but maybe be an empty string.
Can't you differentiate between failures in network transport or
server routines (aka backends) failures (for example perl
installation corruption) and empty string put on purpose ?
Sorry I know rpc,corba,network porgramming, asn1.. but I'm
totally ignorant on how you describe data exchange
for dbus, how you register handlers/services, how you "tcpdump"
the dbus protocol exchange.
6) Rational of this request for a fix:
a) I agree that users with empty passwords are a bad thing and should be
avoided by default But I guess there are situations (standalone
computers, with restricted access and no network connections) where it
makes sense (after tweaking /etc/pam.d/common-auth a little of course.
Even sshd allows this if you explicitly ask for it (option
PermitEmptyPasswords)
b) liboobs should provide "Mechanism, not Policy". Provision to ban
empty passwords should lie in the frontend NOT in the protocol
between frontend and backend
c) by the way assuming that home and shell should also be .neq. ""
is also questionable
7) affected releases
I guess anything higher that ubuntu 8.04 is affected. 7.10 is not
** Affects: liboobs (Ubuntu)
Importance: Undecided
Status: New
--
users-admin does not work with empty passwords
https://bugs.launchpad.net/bugs/316667
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
