Bug 446488 (CVE-2008-1946)

Summary: CVE-2008-1946 /etc/pam.d/su is wrong in RHEL-4.6
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Regression, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-25 06:46:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 446236    
Bug Blocks:    

Description Josh Bressers 2008-05-14 20:13:02 UTC 
+++ This bug was initially created as a clone of Bug #446236 +++

The /etc/pam.d/su in coreutils-5.2.1-31.7 is wrong.
It contains line:
account    sufficient   /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet

This line should instead be:
account    sufficient   /lib/security/$ISA/pam_succeed_if.so uid = 0 use_uid quiet

Notice the spaces around '='. Unfortunately this means that account check is
skipped in su for all accounts regardless of who is the calling user (it should
be skipped for root only).

pam_succeed_if.so treats the uid=0 as unknown option and skips it and the
default outcome when no conditions are found on the command line of the module
is to succeed. I will make sure in PAM upstream that the module will treat
unknown options as failure condition so this or similar thing will not go
unnoticed in the future.

The problem was originaly noticed here:
https://bugzilla.redhat.com/show_bug.cgi?id=445697

The regression was created when fixing the bug:
https://bugzilla.redhat.com/show_bug.cgi?id=230286
partially by my fault because the original line without the spaces comes from my
comment in bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152420
although Fedora and RHEL-5 contain the fixed line.
Comment 1 Tomas Hoger 2008-06-04 14:14:04 UTC 
This issue was introduced in coreutils packages in Red Hat Enterprise Linux 4.6
and coreutils-5.2.1-31.7 is the only affected version.

This problem allows any local user to su to disabled / locked / expired user
account, provided that the account password is known to user running su.
Comment 2 Mark J. Cox 2008-07-24 15:28:15 UTC 
removing embargo
Comment 3 Red Hat Product Security 2008-07-25 06:46:10 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0780.html