Red Hat Bugzilla – Bug 446488
CVE-2008-1946 /etc/pam.d/su is wrong in RHEL-4.6
Last modified: 2008-07-25 02:46:10 EDT
+++ This bug was initially created as a clone of Bug #446236 +++
The /etc/pam.d/su in coreutils-5.2.1-31.7 is wrong.
It contains line:
account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet
This line should instead be:
account sufficient /lib/security/$ISA/pam_succeed_if.so uid = 0 use_uid quiet
Notice the spaces around '='. Unfortunately this means that account check is
skipped in su for all accounts regardless of who is the calling user (it should
be skipped for root only).
pam_succeed_if.so treats the uid=0 as unknown option and skips it and the
default outcome when no conditions are found on the command line of the module
is to succeed. I will make sure in PAM upstream that the module will treat
unknown options as failure condition so this or similar thing will not go
unnoticed in the future.
The problem was originaly noticed here:
The regression was created when fixing the bug:
partially by my fault because the original line without the spaces comes from my
comment in bug:
although Fedora and RHEL-5 contain the fixed line.
This issue was introduced in coreutils packages in Red Hat Enterprise Linux 4.6
and coreutils-5.2.1-31.7 is the only affected version.
This problem allows any local user to su to disabled / locked / expired user
account, provided that the account password is known to user running su.
This issue was addressed in:
Red Hat Enterprise Linux: