Bug 172846 - su does not prompt for password on copy of root
Summary: su does not prompt for password on copy of root
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: coreutils
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL: http://
Whiteboard:
: 172847 172848 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-11-10 15:32 UTC by Bob Findlay
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-11-14 16:43:02 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Bob Findlay 2005-11-10 15:32:51 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

Description of problem:
we have a 2nd "root" account called "system" which has the same uid/gid as root.  a normal user can su to system without giving a password

Version-Release number of selected component (if applicable):
coreutils-5.2.1-48.1

How reproducible:
Always

Steps to Reproduce:
1.vipw    duplicate the root entry.  rename the 2nd on system
2.do the same in the shadow password
3.log in as a normal user
4. su - system

  

Actual Results:  
and no prompt for a password is given - you just become system

Expected Results:  should prompt for system password`

Additional info:

Comment 1 Tim Waugh 2005-11-10 15:40:14 UTC
*** Bug 172847 has been marked as a duplicate of this bug. ***

Comment 2 Tim Waugh 2005-11-10 15:40:24 UTC
*** Bug 172848 has been marked as a duplicate of this bug. ***

Comment 3 Tim Waugh 2005-11-10 15:43:08 UTC
No, I don't see that behaviour.

1. Have you altered any PAM configuration files?

2. What does 'rpm -V coreutils' say?

Comment 4 Bob Findlay 2005-11-10 16:09:11 UTC
1. none
2. nothing at all

Comment 5 Tim Waugh 2005-11-10 16:21:40 UTC
Please try these commands as your non-root user:

id
id -Gn
id system
id -Gn system
su - system
id

What is the output?

Comment 6 Bob Findlay 2005-11-10 16:37:23 UTC
[findlay@jic4147 ~]$ id
uid=2026(findlay) gid=2000(comp) groups=2000(comp) 
context=user_u:system_r:unconfined_t
[findlay@jic4147 ~]$ id -Gn
comp
[findlay@jic4147 ~]$ id system
uid=0(system) gid=0(root) groups=0(root)
[findlay@jic4147 ~]$ id -Gn system
root
[findlay@jic4147 ~]$ su - system
[system@jic4147 ~]# id
uid=0(system) gid=0(root) groups=0(root) context=user_u:system_r:unconfined_t


Comment 7 Tim Waugh 2005-11-10 17:35:28 UTC
Please attach these files:

/etc/pam.d/su
/etc/pam.d/system-auth


Comment 8 Bob Findlay 2005-11-11 09:11:44 UTC
[system@jic4147 ~]# cat /etc/pam.d/su
#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so close
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session    required     /lib/security/$ISA/pam_selinux.so open multiple
session    optional     /lib/security/$ISA/pam_xauth.so

=========================
[system@jic4147 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass 
nolocal
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/
$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok 
md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Comment 9 Tim Waugh 2005-11-11 16:57:24 UTC
Please make a copy of your /etc/pam.d/system-auth file like this:

cp /etc/pam.d/system-auth $HOME/system-auth-backup

Then run the Authentication Configuration tool from the System
Settings->Authentication menu item.  Click on the Authentication tab and
deselect 'Enable Winbind Support'.  Click OK to exit the configuration tool.

Does the su problem still occur?  If so, please repeat the configuration change
but this time deselect SMB support and try su again.

Which configuration option makes a difference?

Comment 10 Bob Findlay 2005-11-14 12:10:05 UTC
I disabled both and rebooted.  didn't make any difference I'm afraid.

although I had been experimenting with those options, so they might have 
something to do with the problem.

ps su to root prompts for a password as does su to any other username...

Comment 11 Tim Waugh 2005-11-14 12:34:55 UTC
Okay.  Now open that configuration tool again and go to the authentication tab.
 Do you have 'Shadow passwords' enabled?  Please try enabling them if not.

Comment 12 Bob Findlay 2005-11-14 13:29:53 UTC
that fixed it.  sorry to have caused you trouble over something that was my 
mistake :-(


Note You need to log in before you can comment on or make changes to this bug.