Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1517484 - can't lock root account
Summary: can't lock root account
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: cockpit
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Martin Pitt
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/cockpit-project/co...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-26 01:51 UTC by Chris Murphy
Modified: 2018-04-04 12:36 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-04 12:36:16 UTC


Attachments (Terms of Use)

Description Chris Murphy 2017-11-26 01:51:38 UTC
Description of problem:

There's an option to lock the root user account, but it doesn't work. Rollover shows a circle with a slash.

Version-Release number of selected component (if applicable):
cockpit-bridge-155-1.module_68ec8b72.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install Fedora-Modular-Server-dvd-x86_64-27-20171123.n.1.iso to a VM
2. Point a web browser to IP:9090, login as user with " Reuse my password for privileged tasks" checked.
3. Click on Accounts, click on root, and try to click Lock Account

Actual results:

Isn't possible to lock the account.


Expected results:

It should be possible to lock root accounts, and I expect this means replacing the password field in /etc/shadow with !



Additional info:

Comment 1 Martin Pitt 2018-01-24 21:05:24 UTC
Indeed root is explicitly excluded from being locked:

https://github.com/cockpit-project/cockpit/blob/94c629b78c380210840b25d364f2f27cd578bcf9/pkg/users/local.js#L930

This was introduced in https://github.com/cockpit-project/cockpit/pull/2206 by Fridolin (adding to CC:), apparently knowingly. Fridolin, was there a particular reason for that? I think it's quite common to want to disable the root account after setting up sudo users, in fact it's very good practice.

Particularly as one can still set "Lock account on.." for the current day :-), and one can also do it on the CLI.

So I think this ought to be allowed.

Comment 2 Martin Pitt 2018-01-24 22:27:14 UTC
Sending upstream fix to https://github.com/cockpit-project/cockpit/pull/8484

Comment 3 Martin Pitt 2018-01-29 10:15:46 UTC
Fix landed upstream, will be in 161.

Comment 4 Martin Pitt 2018-04-04 12:36:16 UTC
Landed in 161, thus Fedora 27 and 28 have this fixed.


Note You need to log in before you can comment on or make changes to this bug.