Bug 65678 - Danger: the 'su' command does not ask for root password
Danger: the 'su' command does not ask for root password
Product: Red Hat Linux
Classification: Retired
Component: sh-utils (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: wdovlrrw
Ben Levenson
: Security
Depends On:
  Show dependency treegraph
Reported: 2002-05-29 18:34 EDT by ThuBi
Modified: 2007-04-18 12:42 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-05-29 18:34:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description ThuBi 2002-05-29 18:34:09 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020513

Description of problem:
Beeing logged in as normal user (local or ssh, no matter), if I type 'su'
waiting for the system to prompt me to enter the root password, I get instantly
into the root account! The prompt becomes 'root@server' and I have full power.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.log in as normal user (local or remote)
2.type in console 'su'
3.you're root, without any problem

Actual Results:  Becoming root

Expected Results:  Asking for root password.

Additional info:

My computer: AMD Athlon, MB Via 133A
Install method: iso images downloaded, boot from floppy, install from harddisk
Comment 1 Bernhard Rosenkraenzer 2002-05-30 04:33:24 EDT
This certainly doesn't happen on any systems here. 
There are two things that might cause this: 
- Your root password is blank 
- Someone cracked your machine and replaced su with something else. 
You can verify the former by just typing passwd as root and resetting the 
password to something sane. 
You can verify the latter by typing "rpm -V sh-utils"
Comment 2 Bernhard Rosenkraenzer 2002-05-30 04:35:46 EDT
There are 2 more possibilities, even: 
- Your /etc/pam.de/su contains something along the lines of 
  auth sufficient /lib/security/pam_permit.so 
- Your normal user is user ID 0, su doesn't prompt user ID 0 for passwords 
  when su'ing to a different account.

Note You need to log in before you can comment on or make changes to this bug.