system allowing su to root from non-wheel

chavez243ca

chavez243ca

I've discovered something a bit odd - created a user, started with them in the staff group. I noticed that after I ssh'd in as this user I was able to su to root - so I removed them from staff and put them in guest - same behaviour.

I checked /etc/pam.d/su and compared against another system and it seems fine.


Code: 
FreeBSD xxxxxxxx 7.2-RELEASE-p8 FreeBSD 7.2-RELEASE-p8 #0: Wed May 26 03:08:50 UTC 2010     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
 
additional detail

contents of /etc/pam.d/su

Code: 
# PAM configuration for the "su" service
#

# auth
auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe
auth            include         system

# account
account         include         system

# session
session         required        pam_permit.so
 
Unable to reproduce on 7.1:

Code: 
$ id
uid=1004(fsck) gid=20(staff) groups=20(staff)
$ su
su: Sorry
$ uname -a
FreeBSD x.geek.sh 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #0: Fri Feb  6 02:10:39 SAST 2009     root@x.geek.sh:/usr/src/sys/i386/compile/X  i386

Same goes for 8.1...

Maybe your PAM libraries have been modified?
 
Does wheel group even exist in /etc/group?
Code: 
$ man [man]pam_group[/man]
     [b]fail_safe[/b]  If the specified group does not exist, or has no members, act
                as if it does exist and the applicant is a member.
 
Strange - I've created several accounts now to test this and they all can su, did the same on a 7.3 box I have and it works as expected.

...rebuilding world
 
Yes - this issued appear to be the lack of entries in /etc/group for wheel - wheel did exist, but strangely was missing any members. Noticed this when I ran mergemaster.

Thanks - solved.
 
You must log in or register to reply here.
Back
Top