Red Hat Bugzilla – Bug 65678
Danger: the 'su' command does not ask for root password
Last modified: 2007-04-18 12:42:48 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020513
Description of problem:
Beeing logged in as normal user (local or ssh, no matter), if I type 'su'
waiting for the system to prompt me to enter the root password, I get instantly
into the root account! The prompt becomes 'root@server' and I have full power.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.log in as normal user (local or remote)
2.type in console 'su'
3.you're root, without any problem
Actual Results: Becoming root
Expected Results: Asking for root password.
My computer: AMD Athlon, MB Via 133A
Install method: iso images downloaded, boot from floppy, install from harddisk
This certainly doesn't happen on any systems here.
There are two things that might cause this:
- Your root password is blank
- Someone cracked your machine and replaced su with something else.
You can verify the former by just typing passwd as root and resetting the
password to something sane.
You can verify the latter by typing "rpm -V sh-utils"
There are 2 more possibilities, even:
- Your /etc/pam.de/su contains something along the lines of
auth sufficient /lib/security/pam_permit.so
- Your normal user is user ID 0, su doesn't prompt user ID 0 for passwords
when su'ing to a different account.