Bug 26375
| Summary: | PAMized su allows non-wheel members to su root | ||
|---|---|---|---|
| Product: | Base System | Reporter: | sw <sw> |
| Component: | bin | Assignee: | Dag-Erling Smørgrav <des> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 5.0-CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
sw
2001-04-06 10:20:01 UTC
Responsible Changed From-To: freebsd-bugs->markm markm PAMized su. On Fri, Apr 06, 2001 at 02:11:12AM -0700, sw@anthologeek.net wrote: > >Number: 26375 > >Category: bin > >Synopsis: PAMized su allows non-wheel members to su root On our Redhat boxes we have to use: auth required /lib/security/pam_wheel.so group=wheel use_uid to get the BSD style behaviour for su. However, we don't have pam_wheel.so. Also, I think /var/run/nologin no longer works for rlogin and maybe some other programs, and we have no pam nologin module to fix this. David. On Fri, Apr 06, 2001 at 02:11:12AM -0700, sw@anthologeek.net wrote: > Compiling su.c without NOPAM, generate a binary that allows anyone to su root without the wheel-group check. > >How-To-Repeat: > # cd /usr/src/usr.bin/su > # make > # ./su <non-wheel-member-user> > $ su > Password: > # This is an intended feature of PAM; the "wheel" policy is now configurable in /etc/pam.conf. Check that you have the latest version of this file. In particular: # "Standard" su(1) policy. #su auth sufficient pam_kerberosIV.so #su auth sufficient pam_krb5.so su auth sufficient pam_rootok.so su auth requisite pam_wheel.so use_uid su auth required pam_unix.so try_first_pass nullok #su account required pam_kerberosIV.so #su account required pam_krb5.so su account required pam_unix.so #su session required pam_kerberosIV.so #su session required pam_krb5.so su password required pam_permit.so su session required pam_permit.so Note the pam_rootok and pam_wheel line, which enforces the "wheel" policy. Kris Responsible Changed From-To: markm->des Over to Mr. PAM State Changed From-To: open->closed OBE |
