Bug 65678 - Danger: the 'su' command does not ask for root password
Summary: Danger: the 'su' command does not ask for root password
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: sh-utils
Version: 7.3
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: wdovlrrw
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-05-29 22:34 UTC by ThuBi
Modified: 2007-04-18 16:42 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2002-05-29 22:34:15 UTC
Embargoed:


Attachments (Terms of Use)

Description ThuBi 2002-05-29 22:34:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020513

Description of problem:
Beeing logged in as normal user (local or ssh, no matter), if I type 'su'
waiting for the system to prompt me to enter the root password, I get instantly
into the root account! The prompt becomes 'root@server' and I have full power.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.log in as normal user (local or remote)
2.type in console 'su'
3.you're root, without any problem
	

Actual Results:  Becoming root

Expected Results:  Asking for root password.

Additional info:

My computer: AMD Athlon, MB Via 133A
Install method: iso images downloaded, boot from floppy, install from harddisk

Comment 1 Bernhard Rosenkraenzer 2002-05-30 08:33:24 UTC
This certainly doesn't happen on any systems here. 
 
There are two things that might cause this: 
- Your root password is blank 
- Someone cracked your machine and replaced su with something else. 
 
You can verify the former by just typing passwd as root and resetting the 
password to something sane. 
 
You can verify the latter by typing "rpm -V sh-utils"

Comment 2 Bernhard Rosenkraenzer 2002-05-30 08:35:46 UTC
There are 2 more possibilities, even: 
 
- Your /etc/pam.de/su contains something along the lines of 
  auth sufficient /lib/security/pam_permit.so 
 
- Your normal user is user ID 0, su doesn't prompt user ID 0 for passwords 
  when su'ing to a different account.


Note You need to log in before you can comment on or make changes to this bug.