Skip to content

Login impossible when root has no read permission for /etc/*shadow

Description:

After I upgraded to apparmor 4.0.3-1, I suddenly couldn't log in to any system accounts anymore, not even root. At least one other user encountered the same problem1.

In the system journal, I could see:

Nov 05 23:10:40 h2g2-42 unix_chkpwd[1612]: check pass; user unknown
Nov 05 23:10:40 h2g2-42 unix_chkpwd[1612]: password check failed for user (tilman)
Nov 05 23:10:40 h2g2-42 gdm-password][1574]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=tilman
Nov 05 23:10:40 h2g2-42 kernel: audit: type=1400 audit(1730844640.468:171): apparmor="DENIED" operation="capable" class="cap" profile="unix-chkpwd" pid=1612 comm="unix_chkpwd" capability=2  capname="dac_read_search"
Nov 05 23:10:40 h2g2-42 kernel: audit: type=1400 audit(1730844640.468:172): apparmor="DENIED" operation="capable" class="cap" profile="unix-chkpwd" pid=1612 comm="unix_chkpwd" capability=1  capname="dac_override"

Confusingly, on another system, this problem did not occur.

A bit of digging revealed that on the broken system (which is pretty old, first set up in 2008 or earlier), /etc/shadow and /etc/gshadow had no permission bits set at all; while on the working system, both files had their bits set to 0600. In both cases, user and group of the file were set to root.

Doing chmod 600 /etc/*shadow fixed the issue, and a look into /usr/share/factory/etc/ confirmed that both files are indeed supposed to be readable by the root user.

I'm very sure I never touched the permissions of those files, so I assume that at some point in the past, them not having any permission bits set was intended behavior, as evidenced by another user having the same problem.

Possibly, there should be an automated step where the permission bits of those files are fixed, or at least a warning should be shown somewhere. Maybe this should actually be a bug against filesystem?

Additional info:

  • package version(s): apparmor 4.0.3-1

Steps to reproduce:

  1. chmod 0 /etc/*shadow
  2. Reboot (might not actually be necessary)
  3. Observe that logging in is now impossible.

  1. I realize the other affected user is using Manjaro, but I am using Arch Linux.

Edited by Tilman Blumenbach
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information