[Bug 2059048] [NEW] adduser allows no password when PAM's pwquality is restrictively set
Mark Esler
2059048 at bugs.launchpad.net
Mon Mar 25 21:38:13 UTC 2024
Public bug reported:
If pam_pwqaulity is restrictively set a user can still be created by
adduser without a password.
e.g.,
```
eslerm at mino:~$ cat /etc/pam.d/common-password |grep pwquality
password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root
eslerm at mino:~$ sudo adduser bar
info: Adding user `bar' ...
info: Selecting UID/GID from range 1000 to 59999 ...
info: Adding new group `bar' (1002) ...
info: Adding new user `bar' (1002) with group `bar (1002)' ...
info: Creating home directory `/home/bar' ...
info: Copying files from `/etc/skel' ...
New password:
BAD PASSWORD: The password contains less than 1 digits
New password:
BAD PASSWORD: The password contains less than 1 digits
New password:
BAD PASSWORD: The password contains less than 1 digits
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Try again? [y/N] N
Changing the user information for bar
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
info: Adding new user `bar' to supplemental / extra groups `users' ...
info: Adding user `bar' to group `users' ...
eslerm at mino:~$ sudo cat /etc/shadow|grep bar
bar:!:19802:0:99999:7:::
```
This was raised as an issue to the Security team. Foundations suggested
to file a bug. This is possibly only a feature request. If this behavior
is unexpected by the maintainers, it is likely a security issue. I am
leaning towards this being a feature request and not marking the bug for
Public/Private Security.
** Affects: adduser (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/2059048
Title:
adduser allows no password when PAM's pwquality is restrictively set
Status in adduser package in Ubuntu:
New
Bug description:
If pam_pwqaulity is restrictively set a user can still be created by
adduser without a password.
e.g.,
```
eslerm at mino:~$ cat /etc/pam.d/common-password |grep pwquality
password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root
eslerm at mino:~$ sudo adduser bar
info: Adding user `bar' ...
info: Selecting UID/GID from range 1000 to 59999 ...
info: Adding new group `bar' (1002) ...
info: Adding new user `bar' (1002) with group `bar (1002)' ...
info: Creating home directory `/home/bar' ...
info: Copying files from `/etc/skel' ...
New password:
BAD PASSWORD: The password contains less than 1 digits
New password:
BAD PASSWORD: The password contains less than 1 digits
New password:
BAD PASSWORD: The password contains less than 1 digits
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Try again? [y/N] N
Changing the user information for bar
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
info: Adding new user `bar' to supplemental / extra groups `users' ...
info: Adding user `bar' to group `users' ...
eslerm at mino:~$ sudo cat /etc/shadow|grep bar
bar:!:19802:0:99999:7:::
```
This was raised as an issue to the Security team. Foundations
suggested to file a bug. This is possibly only a feature request. If
this behavior is unexpected by the maintainers, it is likely a
security issue. I am leaning towards this being a feature request and
not marking the bug for Public/Private Security.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/2059048/+subscriptions
More information about the foundations-bugs
mailing list