Bug 275222

Summary: 14.0-RELEASE su gives root to all users without requesting a password
Product: Base System Reporter: iio7
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed Not A Bug    
Severity: Affects Many People CC: lwhsu, tamelingdaniel
Priority: ---    
Version: 14.0-RELEASE   
Hardware: amd64   
OS: Any   

Description iio7 2023-11-21 03:58:01 UTC 
I have just upgraded a bunch of boxes from FreeBSD 13.2 to 14.0-RELEASE and have discovered that all users who types `su` at the terminal will get root access without being asked about a password and without being in the wheel group. This is the case on all boxes.
Comment 1 iio7 2023-11-21 05:17:37 UTC 
Sorry, they are in the wheel group, but they do NOT get asked for any password.
Comment 2 iio7 2023-11-21 05:22:27 UTC 
I have discovered that using `# passwd` creates a new password and then all users need to type in the password.

On the boxes I have just upgraded from 13.2 to 14.0, the root password has been "removed".
Comment 3 Daniel Tameling 2023-11-21 05:42:33 UTC 
When I upgraded there was a merge conflict for /etc/master.passwd. I had to keep the line for root from the old install as that had the password. The new line is the default without one:
  root::0:0::0:0:Charlie &:/root:/bin/sh
The password is the second column and it is empty and the man page says "If the password field is empty, no password will be required to gain access to the machine."
Did something similar happen for you and you used the new file?
Comment 4 iio7 2023-11-21 05:59:44 UTC 
(In reply to Daniel Tameling from comment #3)

Actually, yes it did!
Comment 5 Li-Wen Hsu freebsd_committer freebsd_triage 2023-11-21 06:03:26 UTC 
I think this one can be closed as "not a bug", if there is any further issues, please feel free to reopen this ticket. Thanks!
Comment 6 iio7 2023-11-21 06:08:43 UTC 
Yup. Sorry.