spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 376
Joined: Fri Dec 26, 2014 11:02 am

Re: New Raspbian release "2016-11-25"

Thu Dec 01, 2016 10:43 pm

OK, I know what is going wrong - the locking of the pi user password is changing the format of the relevant line in the shadow file such that the salt can't be read from it; as a result mkpasswd fails, and a false positive is generated. That should be fairly easy to fix - if I get something that looks as if it works, I'll drop you a PM and you can try it.

User avatar
HawaiianPi
Posts: 4584
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: New Raspbian release "2016-11-25"

Thu Dec 01, 2016 10:57 pm

spl23 wrote:Just to be 100% sure - can you please tell me what "mkpasswd aaa" returns on your system?
Seems to return random junk each time I run it.

Code: Select all

~ $ mkpasswd aaa
9ji5L6x49bFxI
~ $ mkpasswd aaa
Ma6yyywOUJOaQ
~ $ mkpasswd aaa
93Pq8KOCEadqk
~ $ 
spl23 wrote:Apologies for the inconvenience - as with all such changes, there's no way we can test every single configuration that users will have before release, so there will always be a few cases where a system is in a state we hadn't anticipated. We'll try and get a fix out for this asap.
I totally understand. Sorry if I seemed a bit grumpy, I just haven't had my morning coffee yet. :mrgreen:
spl23 wrote:Ah - I think I know what is going wrong - the locking of the pi user password is changing the format of the relevant line in the shadow file such that the salt can't be read from it; as a result mkpasswd fails, and a false positive is generated. That should be fairly easy to fix - if I get something that looks as if it works, I'll drop you a PM and you can try it.
Awesome! Be happy to test it.

I did re-enable the pi account, logged in as pi and changed the password, and there was no warning after I rebooted.

Then I locked pi and rebooted, and yup, the warning was back!
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 12:54 am

One more thing about this:

Suppose you've done a "dist-upgrade" and gotten the latest stuff and you now have the file: /etc/profile.d/sshpasswd.sh
on your system, so that every time you log in as pi, you get this little missive from the system.

What is the approved way to disable this? Is it OK to just 'rm' the file, or is there some systemd/sysctl command to use instead?

Note, BTW, that even if you have changed pi's pw, running this script still takes some time; I can see that it takes longer to login than it used to.
If this post appears in the wrong forums category, my apologies.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5951
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 7:54 am

Yes, removing the file is the way to go, if you would like to disable it.

User avatar
PeterO
Posts: 5001
Joined: Sun Jul 22, 2012 4:14 pm

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 8:47 am

spl23 wrote:Apologies for the inconvenience - as with all such changes, there's no way we can test every single configuration that users will have before release, so there will always be a few cases where a system is in a state we hadn't anticipated. We'll try and get a fix out for this asap.
Do you have a team of tame beta testers from the community ?

PeterO
Discoverer of the PI2 XENON DEATH FLASH!
Interests: C,Python,PIC,Electronics,Ham Radio (G0DZB),1960s British Computers.
"The primary requirement (as we've always seen in your examples) is that the code is readable. " Dougie Lawson

User avatar
B.Goode
Posts: 8480
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 10:23 am

PeterO wrote:
spl23 wrote:Apologies for the inconvenience - as with all such changes, there's no way we can test every single configuration that users will have before release, so there will always be a few cases where a system is in a state we hadn't anticipated. We'll try and get a fix out for this asap.
Do you have a team of tame beta testers from the community ?

PeterO

A previous related response indicates that community involvement is thought to be already in place by virtue of committing developments to a github repository: viewtopic.php?f=66&t=166984&start=25#p1075374

User avatar
jojopi
Posts: 3084
Joined: Tue Oct 11, 2011 8:38 pm

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 10:43 am

Martin Frezman wrote:Note, BTW, that even if you have changed pi's pw, running this script still takes some time; I can see that it takes longer to login than it used to.
Amusingly, it does all the slow stuff before the test for sshd that inhibits the warning. (Is it a defect that it does not check whether sshd accepts passwords, or is it a defect that it assumes sshd is the only service that can?)

If anyone uses ksh, they get an error. Both the script and its output are ugly in an 80 column window. The message confusingly tells the user to login as 'pi', when most likely that is exactly what they have just done.

I still think we should look at not setting a default password, rather than only (unreliably) nagging users to change it.

User avatar
PeterO
Posts: 5001
Joined: Sun Jul 22, 2012 4:14 pm

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 11:00 am

B.Goode wrote: A previous related response indicates that community involvement is thought to be already in place by virtue of committing developments to a github repository: viewtopic.php?f=66&t=166984&start=25#p1075374
Yet the last few days since the release of latest version clearly show that that is not sufficient to get the changes tested before they are released. It needs a simple "here is the latest beta to be tested" approach rather than expecting testers to track all the changes on github and apply them themselves. And getting testers to apply changes to their own systems means they will not be testing the final released versions of everything because their systems may have already been patched or upgraded.

If you want people to test something for you it has to be made as simple as possible for them otherwise you won't get the interest you want.

PeterO
Last edited by PeterO on Fri Dec 02, 2016 11:12 am, edited 1 time in total.
Discoverer of the PI2 XENON DEATH FLASH!
Interests: C,Python,PIC,Electronics,Ham Radio (G0DZB),1960s British Computers.
"The primary requirement (as we've always seen in your examples) is that the code is readable. " Dougie Lawson

User avatar
DougieLawson
Posts: 36096
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 11:02 am

I discovered more breakage in 2016-11-25.

There's a new /etc/profile.d/sshpasswd.sh script that includes a sudo command (trying to read /etc/shadow). That fails brilliantly if you've removed all the passwordless sudo crap (from /etc/sudoers.d). I been getting some amusing security warning emails.

The RPF foundation folks don't seem to have grasped the concept of "real world security" - can they stop putting new junk in my /etc directory.

Tell me what's happening when I run apt-get -y update or apt-get -y dist-upgrade which includes security changes. Let me choose whether I want to install that crap that's going to break my system.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
B.Goode
Posts: 8480
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 11:08 am

@Peter won't want or need my support, but "+1" to his comment.

I hope it is clear from my linked suggestion earlier in the thread that I think the community could have a role to play here. But the RPF have repeatedly shown that their opinion differs...

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5951
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 11:18 am

jojopi wrote:
Martin Frezman wrote:Note, BTW, that even if you have changed pi's pw, running this script still takes some time; I can see that it takes longer to login than it used to.
Amusingly, it does all the slow stuff before the test for sshd that inhibits the warning. (Is it a defect that it does not check whether sshd accepts passwords, or is it a defect that it assumes sshd is the only service that can?)

If anyone uses ksh, they get an error. Both the script and its output are ugly in an 80 column window. The message confusingly tells the user to login as 'pi', when most likely that is exactly what they have just done.

I still think we should look at not setting a default password, rather than only (unreliably) nagging users to change it.
Thanks, that's actually all useful feedback.

User avatar
dasmanul
Posts: 502
Joined: Wed Sep 30, 2015 10:20 am
Location: Frankfurt, Germany

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 12:14 pm

DougieLawson wrote:There's a new /etc/profile.d/sshpasswd.sh script that includes a sudo command (trying to read /etc/shadow). That fails brilliantly if you've removed all the passwordless sudo crap (from /etc/sudoers.d). I been getting some amusing security warning emails.
I've pointed this out in a comment to the Github commit (and in this thread) - the official stance seems to be "this won't affect 99% of users so it's no problem".

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5951
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 12:37 pm

dasmanul wrote:
DougieLawson wrote:There's a new /etc/profile.d/sshpasswd.sh script that includes a sudo command (trying to read /etc/shadow). That fails brilliantly if you've removed all the passwordless sudo crap (from /etc/sudoers.d). I been getting some amusing security warning emails.
I've pointed this out in a comment to the Github commit (and in this thread) - the official stance seems to be "this won't affect 99% of users so it's no problem".
That's not quite the official stance. The official stance is closer to "We know and will fix it in the long term, but right now there is no way around it."

User avatar
DougieLawson
Posts: 36096
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 12:56 pm

ShiftPlusOne wrote:
dasmanul wrote:
DougieLawson wrote:There's a new /etc/profile.d/sshpasswd.sh script that includes a sudo command (trying to read /etc/shadow). That fails brilliantly if you've removed all the passwordless sudo crap (from /etc/sudoers.d). I been getting some amusing security warning emails.
I've pointed this out in a comment to the Github commit (and in this thread) - the official stance seems to be "this won't affect 99% of users so it's no problem".
That's not quite the official stance. The official stance is closer to "We know and will fix it in the long term, but right now there is no way around it."
There's even more reason to warn me when apt-get installs it. I'm not looking at any of that stuff on github. The only bits of Raspberry stuff I look at are kernel, firmware (usually the hexxeh piece) and weather station. So this arrived as a complete surprise (when I started getting security emails from my internet opened machine).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
dasmanul
Posts: 502
Joined: Wed Sep 30, 2015 10:20 am
Location: Frankfurt, Germany

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 1:04 pm

ShiftPlusOne wrote: That's not quite the official stance. The official stance is closer to "We know and will fix it in the long term, but right now there is no way around it."
Actually, the comments in the Github commit page sounded different to me, but I might of course have misread them. That the blog post announcing the new release doesn't mention the issues also points in a different direction than "we'll fix this eventually" IMHO.

marioscube
Posts: 49
Joined: Mon Dec 09, 2013 8:26 pm

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 2:51 pm

I would like to thank the incompetents that broke "Booting from USB" with the latest update! :x

On a perfectly running raspbian system I did:
(sudo) apt-get update
(sudo) apt-get upgrade
..... and then after a restart (I "poweroff" the Pi after using it) ........ NOTHING :(

I took a spare HD and confirmed this behaviour.

Didn't you test this?

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5951
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 2:57 pm

marioscube wrote:I would like to thank the incompetents that broke "Booting from USB" with the latest update! :x

On a perfectly running raspbian system I did:
(sudo) apt-get update
(sudo) apt-get upgrade
..... and then after a restart (I "poweroff" the Pi after using it) ........ NOTHING :(

I took a spare HD and confirmed this behaviour.

Didn't you test this?
Please get your facts straight and try again. You installed EXPERIMENTAL firmware using rpi-update (most likely). That replaces files which are managed by apt. Of course it will get overwritten when the package containing the actual release firmware is updated.

marioscube
Posts: 49
Joined: Mon Dec 09, 2013 8:26 pm

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 3:07 pm

So you did not test it and did not / forgot to put this in the announcement of a SECURITY update.

But anyway, thank you for clearing up why it did not work.
Just do not update....... ;)

User avatar
PeterO
Posts: 5001
Joined: Sun Jul 22, 2012 4:14 pm

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 3:12 pm

ShiftPlusOne wrote: Please get your facts straight and try again. .
However it is symptomatic of the Foundation having a problem with it's software release/update strategy and its procedures.
Announcing things as experimental (that do work), and that then get broken by future releases (OpenGL driver, USB Booting) is sadly becoming a pattern. It's not the way to encourage people to try out the new features :-(

PeterO
Discoverer of the PI2 XENON DEATH FLASH!
Interests: C,Python,PIC,Electronics,Ham Radio (G0DZB),1960s British Computers.
"The primary requirement (as we've always seen in your examples) is that the code is readable. " Dougie Lawson

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5951
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 3:14 pm

marioscube wrote:So you did not test it and did not / forgot to put this in the announcement of a SECURITY update.

But anyway, thank you for clearing up why it did not work.
Just do not update....... ;)
This applies to every single firmware update released through apt and there won't be a blog post each time telling rpi-update users how apt works (they should already know).

User avatar
B.Goode
Posts: 8480
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 3:17 pm

marioscube wrote:So you did not test it and did not / forgot to put this in the announcement of a SECURITY update.

But anyway, thank you for clearing up why it did not work.
Just do not update....... ;)
This is almost certainly unrelated to the 2016-11-25 release of Raspbian.

I'm pretty sure that if you used the September 'Pixel' release as a base and did the same operation you would get a similar failure. And I'm fairly sure I have seen a warning in the discussion of the beta USB/net booting feature that exactly what you describe was to be expected.

(I sympathise with your frustration, but although I kicked off this thread in some surprise at the content of the release I don't think your issue is really a consequence.)

marioscube
Posts: 49
Joined: Mon Dec 09, 2013 8:26 pm

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 3:39 pm

@B.Goode
I'm pretty sure that if you used the September 'Pixel' release as a base and did the same operation you would get a similar failure.
Well that's exactly what I did.

Thank you for sympathising, but I'm allready over it now. Somewhat.

However I find it strange that any update (apt-get upgrade) would break USB boot. To enable USB boot no extra raspbian code needs to be installed. It's just a removable setting in a file (/boot/config/txt).

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5951
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 3:50 pm

marioscube wrote:@B.Goode
I'm pretty sure that if you used the September 'Pixel' release as a base and did the same operation you would get a similar failure.
Well that's exactly what I did.

Thank you for sympathising, but I'm allready over it now. Somewhat.

However I find it strange that any update (apt-get upgrade) would break USB boot. To enable USB boot no extra raspbian code needs to be installed. It's just a removable setting in a file (/boot/config/txt).
To enable USB boot, you need special firmware (which was overwritten), so it's not just a config.txt setting.

User avatar
DougieLawson
Posts: 36096
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 4:05 pm

marioscube wrote:So you did not test it and did not / forgot to put this in the announcement of a SECURITY update.

But anyway, thank you for clearing up why it did not work.
Just do not update....... ;)
Since you've run BRANCH=next rpi-update to get the USB/PXE bootcode then that MUST be re-run that whenever the apt-get stuff updates the kernel. That's obvious and there's nothing the RPF folks have done wrong with that one. You'll also need to remove /boot/.firmware_revision or rpi-update will terminate without making any updates.

When the USB/PXE bootcode is out of beta and part of the regular mainstream kernel then you may have something to moan about.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

njspix
Posts: 5
Joined: Fri Dec 02, 2016 5:51 pm

Re: New Raspbian release "2016-11-25"

Fri Dec 02, 2016 6:00 pm

So I am using a headless RPi as a Samba server on my local network. I have deleted the pi user (using userdel if I remember correctly). I configured SSH to run on an uncommon port, and use key authentication. I then port-forwarded the machine. A couple of days ago I updated the Pi and when I connected to it this morning (from a remote location) I got the warning message about the pi password being set to default. I panicked and immediately shutdown the pi after logging in.

I'm confused because as far as I know, the pi account doesn't even exist anymore. Is this just a little semantic mix-up, or did the pi account somehow get reinstated? If so, I'm guessing I should assume the machine is compromised?

By the way, RPi is my introduction to Linux. I don't know much...yet. So any advice would be helpful.

Return to “Raspbian”