Bug 763416 (GLUSTER-1684)

Summary: Gaining access to the shell/root with no password is trivial
Product: [Retired] GlusterSP Reporter: Kevin Brooks <brooks>
Component: coreAssignee: Balamurugan Arumugam <bala>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: low    
Version: 3.0.5CC: platform, shireesh
Target Milestone: 3.1   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kevin Brooks 2010-09-23 12:03:54 UTC 
It seems that su does ask you to authenticate, although I'm positive I've done this without having it asking (but I may have authenticated and been within the 5 minute sudo grace period), using your gluster UID password to gain root access.

So, it appears root access isn't as easy as I thought, but server access without authentication as the gluster UID is still a serious issue.
Comment 1 Kevin Brooks 2010-09-23 14:11:40 UTC 
Anyone with console access can easily gain root access. By pressing F11 Firefox is minimized and the user can start an xterm.  Steps to reproduce:

At the login screen:

1. Press F11 and minimize firefox
2. Right click and start the PCManFM file manager
3. Browse to any file and use "Open with"
4. Select xterm from the list of "All Applications"
5. sudu su gets you root access with no password