Bug 172846

Summary: su does not prompt for password on copy of root
Product: [Fedora] Fedora Reporter: Bob Findlay <bob.findlay>
Component: coreutilsAssignee: Tim Waugh <twaugh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-11-14 11:43:02 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Bob Findlay 2005-11-10 10:32:51 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

Description of problem:
we have a 2nd "root" account called "system" which has the same uid/gid as root.  a normal user can su to system without giving a password

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.vipw    duplicate the root entry.  rename the 2nd on system
2.do the same in the shadow password
3.log in as a normal user
4. su - system


Actual Results:  
and no prompt for a password is given - you just become system

Expected Results:  should prompt for system password`

Additional info:
Comment 1 Tim Waugh 2005-11-10 10:40:14 EST
*** Bug 172847 has been marked as a duplicate of this bug. ***
Comment 2 Tim Waugh 2005-11-10 10:40:24 EST
*** Bug 172848 has been marked as a duplicate of this bug. ***
Comment 3 Tim Waugh 2005-11-10 10:43:08 EST
No, I don't see that behaviour.

1. Have you altered any PAM configuration files?

2. What does 'rpm -V coreutils' say?
Comment 4 Bob Findlay 2005-11-10 11:09:11 EST
1. none
2. nothing at all
Comment 5 Tim Waugh 2005-11-10 11:21:40 EST
Please try these commands as your non-root user:

id -Gn
id system
id -Gn system
su - system

What is the output?
Comment 6 Bob Findlay 2005-11-10 11:37:23 EST
[findlay@jic4147 ~]$ id
uid=2026(findlay) gid=2000(comp) groups=2000(comp) 
[findlay@jic4147 ~]$ id -Gn
[findlay@jic4147 ~]$ id system
uid=0(system) gid=0(root) groups=0(root)
[findlay@jic4147 ~]$ id -Gn system
[findlay@jic4147 ~]$ su - system
[system@jic4147 ~]# id
uid=0(system) gid=0(root) groups=0(root) context=user_u:system_r:unconfined_t
Comment 7 Tim Waugh 2005-11-10 12:35:28 EST
Please attach these files:

Comment 8 Bob Findlay 2005-11-11 04:11:44 EST
[system@jic4147 ~]# cat /etc/pam.d/su
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so close
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session    required     /lib/security/$ISA/pam_selinux.so open multiple
session    optional     /lib/security/$ISA/pam_xauth.so

[system@jic4147 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass 
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok 
md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
Comment 9 Tim Waugh 2005-11-11 11:57:24 EST
Please make a copy of your /etc/pam.d/system-auth file like this:

cp /etc/pam.d/system-auth $HOME/system-auth-backup

Then run the Authentication Configuration tool from the System
Settings->Authentication menu item.  Click on the Authentication tab and
deselect 'Enable Winbind Support'.  Click OK to exit the configuration tool.

Does the su problem still occur?  If so, please repeat the configuration change
but this time deselect SMB support and try su again.

Which configuration option makes a difference?
Comment 10 Bob Findlay 2005-11-14 07:10:05 EST
I disabled both and rebooted.  didn't make any difference I'm afraid.

although I had been experimenting with those options, so they might have 
something to do with the problem.

ps su to root prompts for a password as does su to any other username...
Comment 11 Tim Waugh 2005-11-14 07:34:55 EST
Okay.  Now open that configuration tool again and go to the authentication tab.
 Do you have 'Shadow passwords' enabled?  Please try enabling them if not.
Comment 12 Bob Findlay 2005-11-14 08:29:53 EST
that fixed it.  sorry to have caused you trouble over something that was my 
mistake :-(