Bug 65678

Summary: Danger: the 'su' command does not ask for root password
Product: [Retired] Red Hat Linux Reporter: ThuBi <thubi>
Component: sh-utilsAssignee: wdovlrrw <brosenkr>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-05-29 22:34:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ThuBi 2002-05-29 22:34:09 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020513

Description of problem:
Beeing logged in as normal user (local or ssh, no matter), if I type 'su'
waiting for the system to prompt me to enter the root password, I get instantly
into the root account! The prompt becomes 'root@server' and I have full power.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.log in as normal user (local or remote)
2.type in console 'su'
3.you're root, without any problem
	

Actual Results:  Becoming root

Expected Results:  Asking for root password.

Additional info:

My computer: AMD Athlon, MB Via 133A
Install method: iso images downloaded, boot from floppy, install from harddisk
Comment 1 Bernhard Rosenkraenzer 2002-05-30 08:33:24 UTC 
This certainly doesn't happen on any systems here. 
 
There are two things that might cause this: 
- Your root password is blank 
- Someone cracked your machine and replaced su with something else. 
 
You can verify the former by just typing passwd as root and resetting the 
password to something sane. 
 
You can verify the latter by typing "rpm -V sh-utils"
Comment 2 Bernhard Rosenkraenzer 2002-05-30 08:35:46 UTC 
There are 2 more possibilities, even: 
 
- Your /etc/pam.de/su contains something along the lines of 
  auth sufficient /lib/security/pam_permit.so 
 
- Your normal user is user ID 0, su doesn't prompt user ID 0 for passwords 
  when su'ing to a different account.