Red Hat Bugzilla – Bug 77460
Security breach - Root password can be changed by normal user
Last modified: 2008-05-01 11:38:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830
Description of problem:
an ordinary user can change the root password when he chooses 'system settings'
and 'root password'
Note: we have installed the group package
- System Group : all
- Server Group : Server Configuration Tool
Version-Release number of selected component (if applicable): 8.0
Steps to Reproduce:
3.and 'root password'
Actual Results: the normal user could change the root password
Expected Results: Well, a normal user should not be able to change the root
You have to type the current root password first, though.
Note that if you authenticate for one of the "system settings" items the
authentication will be remembered for a few minutes, so you can run any of the
other items. The panel "notification area" should display an icon while you are
authenticated. You can run "pam_timestamp_check -k root" or click the icon
to drop the authentication. See "man pam_timestamp" and "man pam_timestamp_check"
Please confirm that you are asked to type the current root password,
unless authentication is currently timestamped.