+++ This bug was initially created as a clone of Bug #446236 +++ The /etc/pam.d/su in coreutils-5.2.1-31.7 is wrong. It contains line: account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet This line should instead be: account sufficient /lib/security/$ISA/pam_succeed_if.so uid = 0 use_uid quiet Notice the spaces around '='. Unfortunately this means that account check is skipped in su for all accounts regardless of who is the calling user (it should be skipped for root only). pam_succeed_if.so treats the uid=0 as unknown option and skips it and the default outcome when no conditions are found on the command line of the module is to succeed. I will make sure in PAM upstream that the module will treat unknown options as failure condition so this or similar thing will not go unnoticed in the future. The problem was originaly noticed here: https://bugzilla.redhat.com/show_bug.cgi?id=445697 The regression was created when fixing the bug: https://bugzilla.redhat.com/show_bug.cgi?id=230286 partially by my fault because the original line without the spaces comes from my comment in bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152420 although Fedora and RHEL-5 contain the fixed line.
This issue was introduced in coreutils packages in Red Hat Enterprise Linux 4.6 and coreutils-5.2.1-31.7 is the only affected version. This problem allows any local user to su to disabled / locked / expired user account, provided that the account password is known to user running su.
removing embargo
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0780.html