Bug 446488 - (CVE-2008-1946) CVE-2008-1946 /etc/pam.d/su is wrong in RHEL-4.6
CVE-2008-1946 /etc/pam.d/su is wrong in RHEL-4.6
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Regression, Security
Depends On: 446236
  Show dependency treegraph
Reported: 2008-05-14 16:13 EDT by Josh Bressers
Modified: 2008-07-25 02:46 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-25 02:46:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2008-05-14 16:13:02 EDT
+++ This bug was initially created as a clone of Bug #446236 +++

The /etc/pam.d/su in coreutils-5.2.1-31.7 is wrong.
It contains line:
account    sufficient   /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet

This line should instead be:
account    sufficient   /lib/security/$ISA/pam_succeed_if.so uid = 0 use_uid quiet

Notice the spaces around '='. Unfortunately this means that account check is
skipped in su for all accounts regardless of who is the calling user (it should
be skipped for root only).

pam_succeed_if.so treats the uid=0 as unknown option and skips it and the
default outcome when no conditions are found on the command line of the module
is to succeed. I will make sure in PAM upstream that the module will treat
unknown options as failure condition so this or similar thing will not go
unnoticed in the future.

The problem was originaly noticed here:

The regression was created when fixing the bug:
partially by my fault because the original line without the spaces comes from my
comment in bug:
although Fedora and RHEL-5 contain the fixed line.
Comment 1 Tomas Hoger 2008-06-04 10:14:04 EDT
This issue was introduced in coreutils packages in Red Hat Enterprise Linux 4.6
and coreutils-5.2.1-31.7 is the only affected version.

This problem allows any local user to su to disabled / locked / expired user
account, provided that the account password is known to user running su.
Comment 2 Mark J. Cox 2008-07-24 11:28:15 EDT
removing embargo
Comment 3 Red Hat Product Security 2008-07-25 02:46:10 EDT
This issue was addressed in:

Red Hat Enterprise Linux:

Note You need to log in before you can comment on or make changes to this bug.