Bug 172846 - su does not prompt for password on copy of root
su does not prompt for password on copy of root
Product: Fedora
Classification: Fedora
Component: coreutils (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
: 172847 172848 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2005-11-10 10:32 EST by Bob Findlay
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-11-14 11:43:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)

  None (edit)
Description Bob Findlay 2005-11-10 10:32:51 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

Description of problem:
we have a 2nd "root" account called "system" which has the same uid/gid as root.  a normal user can su to system without giving a password

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.vipw    duplicate the root entry.  rename the 2nd on system
2.do the same in the shadow password
3.log in as a normal user
4. su - system


Actual Results:  
and no prompt for a password is given - you just become system

Expected Results:  should prompt for system password`

Additional info:
Comment 1 Tim Waugh 2005-11-10 10:40:14 EST
*** Bug 172847 has been marked as a duplicate of this bug. ***
Comment 2 Tim Waugh 2005-11-10 10:40:24 EST
*** Bug 172848 has been marked as a duplicate of this bug. ***
Comment 3 Tim Waugh 2005-11-10 10:43:08 EST
No, I don't see that behaviour.

1. Have you altered any PAM configuration files?

2. What does 'rpm -V coreutils' say?
Comment 4 Bob Findlay 2005-11-10 11:09:11 EST
1. none
2. nothing at all
Comment 5 Tim Waugh 2005-11-10 11:21:40 EST
Please try these commands as your non-root user:

id -Gn
id system
id -Gn system
su - system

What is the output?
Comment 6 Bob Findlay 2005-11-10 11:37:23 EST
[findlay@jic4147 ~]$ id
uid=2026(findlay) gid=2000(comp) groups=2000(comp) 
[findlay@jic4147 ~]$ id -Gn
[findlay@jic4147 ~]$ id system
uid=0(system) gid=0(root) groups=0(root)
[findlay@jic4147 ~]$ id -Gn system
[findlay@jic4147 ~]$ su - system
[system@jic4147 ~]# id
uid=0(system) gid=0(root) groups=0(root) context=user_u:system_r:unconfined_t
Comment 7 Tim Waugh 2005-11-10 12:35:28 EST
Please attach these files:

Comment 8 Bob Findlay 2005-11-11 04:11:44 EST
[system@jic4147 ~]# cat /etc/pam.d/su
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so close
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session    required     /lib/security/$ISA/pam_selinux.so open multiple
session    optional     /lib/security/$ISA/pam_xauth.so

[system@jic4147 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass 
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok 
md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
Comment 9 Tim Waugh 2005-11-11 11:57:24 EST
Please make a copy of your /etc/pam.d/system-auth file like this:

cp /etc/pam.d/system-auth $HOME/system-auth-backup

Then run the Authentication Configuration tool from the System
Settings->Authentication menu item.  Click on the Authentication tab and
deselect 'Enable Winbind Support'.  Click OK to exit the configuration tool.

Does the su problem still occur?  If so, please repeat the configuration change
but this time deselect SMB support and try su again.

Which configuration option makes a difference?
Comment 10 Bob Findlay 2005-11-14 07:10:05 EST
I disabled both and rebooted.  didn't make any difference I'm afraid.

although I had been experimenting with those options, so they might have 
something to do with the problem.

ps su to root prompts for a password as does su to any other username...
Comment 11 Tim Waugh 2005-11-14 07:34:55 EST
Okay.  Now open that configuration tool again and go to the authentication tab.
 Do you have 'Shadow passwords' enabled?  Please try enabling them if not.
Comment 12 Bob Findlay 2005-11-14 08:29:53 EST
that fixed it.  sorry to have caused you trouble over something that was my 
mistake :-(

Note You need to log in before you can comment on or make changes to this bug.