| View previous topic :: View next topic |
| Author |
Message |
pbienst
Retired Dev
Joined: 29 May 2002
Posts: 70
Location: Belgium
|
 Posted: Wed Jun 26, 2002 12:30 pm Post subject: Any password works with su |
 |
|
Hmm, it seem I can su to any user (including root) by typing just a random passwd.
Ouch, this can't be the way it's supposed to be... |
|
| Back to top |
|
 |
Utoxin
Guru
Joined: 19 Apr 2002
Posts: 413
Location: American Fork, UT
|
| Posted: Wed Jun 26, 2002 2:55 pm Post subject: |
|
|
That is indeed bad. Um... Anyone have any input on this? I've never heard of this problem.
_________________
Gentoo:
1. A small fast penguin from Antarctica.
2. A small fast penguin on your computer.
Cool. |
|
| Back to top |
|
|
jtanner
Tux's lil' helper
Joined: 23 May 2002
Posts: 121
Location: Atlanta, GA
|
| Posted: Wed Jun 26, 2002 3:25 pm Post subject: |
|
|
Incorrectly configured pam? Empty password field in /etc/shadow?
I'm just guessing....
Jim |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Wed Jun 26, 2002 5:02 pm Post subject: |
|
|
Have you tried to use passwd to reset root's passwd?
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
pbienst
Retired Dev
Joined: 29 May 2002
Posts: 70
Location: Belgium
|
| Posted: Wed Jun 26, 2002 5:13 pm Post subject: |
|
|
| kanuslupus wrote: | | Have you tried to use passwd to reset root's passwd? |
Doesn't help... |
|
| Back to top |
|
|
pbienst
Retired Dev
Joined: 29 May 2002
Posts: 70
Location: Belgium
|
| Posted: Wed Jun 26, 2002 5:15 pm Post subject: |
|
|
| jtanner wrote: | Incorrectly configured pam? Empty password field in /etc/shadow?
I'm just guessing....
Jim |
/etc/shadow doesn't have empty passwd fields, and the only one changing the pam configuration should be emerge... |
|
| Back to top |
|
|
jtanner
Tux's lil' helper
Joined: 23 May 2002
Posts: 121
Location: Atlanta, GA
|
| Posted: Wed Jun 26, 2002 5:36 pm Post subject: |
|
|
How about other programs? Can you log in as any user with a random password? Can you ssh/ftp/telnet to the box as any user with a random password?
Jim |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Wed Jun 26, 2002 5:38 pm Post subject: |
|
|
Check your /etc/suauth file. That controls the behavior of su. man suauth for more information.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Wed Jun 26, 2002 5:44 pm Post subject: |
|
|
| pbienst wrote: | | ... and the only one changing the pam configuration should be emerge... |
You are using PAM then? Have you checked its configuration to ensure emerge didn't
affect something?
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
pbienst
Retired Dev
Joined: 29 May 2002
Posts: 70
Location: Belgium
|
| Posted: Wed Jun 26, 2002 5:47 pm Post subject: |
|
|
| jtanner wrote: | How about other programs? Can you log in as any user with a random password? Can you ssh/ftp/telnet to the box as any user with a random password?
Jim |
I don't have any ssh/ftp or telnet daemons running currently, but I can login as any user with any password, not only through su. |
|
| Back to top |
|
|
pbienst
Retired Dev
Joined: 29 May 2002
Posts: 70
Location: Belgium
|
| Posted: Wed Jun 26, 2002 5:49 pm Post subject: |
|
|
| klieber wrote: | Check your /etc/suauth file. That controls the behavior of su. man suauth for more information.
--kurt |
This file didn't exist. I created one containing
| Code: | | root:ALL EXCEPT GROUP wheel:DENY |
Didn't fix the problem...[/code] |
|
| Back to top |
|
|
pbienst
Retired Dev
Joined: 29 May 2002
Posts: 70
Location: Belgium
|
| Posted: Wed Jun 26, 2002 5:50 pm Post subject: |
|
|
| kanuslupus wrote: | | pbienst wrote: | | ... and the only one changing the pam configuration should be emerge... |
You are using PAM then? Have you checked its configuration to ensure emerge didn't
affect something? |
Well, a test I tried was creating a file /etc/nologin, which indeed disabled new logins, so it seems that that part of PAM at least is running |
|
| Back to top |
|
|
pbienst
Retired Dev
Joined: 29 May 2002
Posts: 70
Location: Belgium
|
| Posted: Thu Jun 27, 2002 10:30 pm Post subject: |
|
|
I'm at the end of my rope here: I unmerge pam and pam-login and then remerged them. Still no succes.
This is my /etc/pam.d/login
| Code: |
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
|
|
|
| Back to top |
|
|
csnyder
n00b
Joined: 18 Jun 2002
Posts: 44
Location: Grand Rapids, MI
|
| Posted: Fri Jun 28, 2002 6:12 am Post subject: |
|
|
Are you trying to su as root? Root is allowed to su to any account without a password.
Though it shouldn't prompt for a password then... |
|
| Back to top |
|
|
pbienst
Retired Dev
Joined: 29 May 2002
Posts: 70
Location: Belgium
|
| Posted: Fri Jun 28, 2002 2:24 pm Post subject: |
|
|
| No, I can su TO root as any user without any passwd |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Fri Jun 28, 2002 4:04 pm Post subject: |
|
|
At the risk of stating the obvious, something PAM-related is borked on your system. You might check out the PAM mailing list or the PAM home page to see if you can find any other information there.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Fri Jun 28, 2002 4:06 pm Post subject: |
|
|
Another suggestion -- set PAM to log to it's own log and turn up the verbosity. Might give you some pointers on what is happening.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
shawnf
n00b
Joined: 23 Apr 2002
Posts: 8
Location: seattle,wa
|
| Posted: Sun Jun 30, 2002 8:43 pm Post subject: |
|
|
had this same problem. didnt have to enter a password or any password would work to login or su.
fixed it by recompiling pam with lower optimizations.
Side note I am using GCC3
-Shawn |
|
| Back to top |
|
|
pbienst
Retired Dev
Joined: 29 May 2002
Posts: 70
Location: Belgium
|
| Posted: Mon Jul 01, 2002 11:58 pm Post subject: |
|
|
Yep, dropping the optimisation level to -O2 solved the problem.
I've filed this a bug report, because I suspect many people who are using gcc 3.1 as their compiler have this problem and might not even be aware of the fact that they have a gaping security hole. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Tue Jul 02, 2002 12:51 am Post subject: |
|
|
| pbienst wrote: | Yep, dropping the optimisation level to -O2 solved the problem.
I've filed this a bug report, because I suspect many people who are using gcc 3.1 as their compiler have this problem and might not even be aware of the fact that they have a gaping security hole. |
Wow... that seems very strange to me.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
delta407
Bodhisattva
Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL
|
| Posted: Tue Jul 02, 2002 2:18 am Post subject: |
|
|
From the FAQ:
| Quote: | | Very aggressive optimizations sometimes cause the compiler to streamline the assembly code to the point where it doesn't quite do the same thing anymore. |
This seems to apply to this particular package in a very bad way.  Perhaps the PAM maintainer could force -O2 if -O3 is given? |
|
| Back to top |
|
|
|
Networking & Security
