Red Hat Bugzilla – Bug 65678
Danger: the 'su' command does not ask for root password
Last modified: 2007-04-18 12:42:48 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020513 Description of problem: Beeing logged in as normal user (local or ssh, no matter), if I type 'su' waiting for the system to prompt me to enter the root password, I get instantly into the root account! The prompt becomes 'root@server' and I have full power. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.log in as normal user (local or remote) 2.type in console 'su' 3.you're root, without any problem Actual Results: Becoming root Expected Results: Asking for root password. Additional info: My computer: AMD Athlon, MB Via 133A Install method: iso images downloaded, boot from floppy, install from harddisk
This certainly doesn't happen on any systems here. There are two things that might cause this: - Your root password is blank - Someone cracked your machine and replaced su with something else. You can verify the former by just typing passwd as root and resetting the password to something sane. You can verify the latter by typing "rpm -V sh-utils"
There are 2 more possibilities, even: - Your /etc/pam.de/su contains something along the lines of auth sufficient /lib/security/pam_permit.so - Your normal user is user ID 0, su doesn't prompt user ID 0 for passwords when su'ing to a different account.