Red Hat Bugzilla – Bug 172846
su does not prompt for password on copy of root
Last modified: 2007-11-30 17:11:16 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Description of problem:
we have a 2nd "root" account called "system" which has the same uid/gid as root. a normal user can su to system without giving a password
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.vipw duplicate the root entry. rename the 2nd on system
2.do the same in the shadow password
3.log in as a normal user
4. su - system
and no prompt for a password is given - you just become system
Expected Results: should prompt for system password`
*** Bug 172847 has been marked as a duplicate of this bug. ***
*** Bug 172848 has been marked as a duplicate of this bug. ***
No, I don't see that behaviour.
1. Have you altered any PAM configuration files?
2. What does 'rpm -V coreutils' say?
2. nothing at all
Please try these commands as your non-root user:
id -Gn system
su - system
What is the output?
[findlay@jic4147 ~]$ id
uid=2026(findlay) gid=2000(comp) groups=2000(comp)
[findlay@jic4147 ~]$ id -Gn
[findlay@jic4147 ~]$ id system
uid=0(system) gid=0(root) groups=0(root)
[findlay@jic4147 ~]$ id -Gn system
[findlay@jic4147 ~]$ su - system
[system@jic4147 ~]# id
uid=0(system) gid=0(root) groups=0(root) context=user_u:system_r:unconfined_t
Please attach these files:
[system@jic4147 ~]# cat /etc/pam.d/su
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required /lib/security/$ISA/pam_selinux.so open multiple
session optional /lib/security/$ISA/pam_xauth.so
[system@jic4147 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
Please make a copy of your /etc/pam.d/system-auth file like this:
cp /etc/pam.d/system-auth $HOME/system-auth-backup
Then run the Authentication Configuration tool from the System
Settings->Authentication menu item. Click on the Authentication tab and
deselect 'Enable Winbind Support'. Click OK to exit the configuration tool.
Does the su problem still occur? If so, please repeat the configuration change
but this time deselect SMB support and try su again.
Which configuration option makes a difference?
I disabled both and rebooted. didn't make any difference I'm afraid.
although I had been experimenting with those options, so they might have
something to do with the problem.
ps su to root prompts for a password as does su to any other username...
Okay. Now open that configuration tool again and go to the authentication tab.
Do you have 'Shadow passwords' enabled? Please try enabling them if not.
that fixed it. sorry to have caused you trouble over something that was my