# Any password works with su

## pbienst

Hmm, it seem I can su to any user (including root) by typing just a random passwd.

Ouch, this can't be the way it's supposed to be...

----------

## Utoxin

 :Shocked: 

That is indeed bad. Um... Anyone have any input on this? I've never heard of this problem.

----------

## jtanner

Incorrectly configured pam?  Empty password field in /etc/shadow? 

I'm just guessing....

Jim

----------

## pjp

Have you tried to use passwd to reset root's passwd?

----------

## pbienst

 *kanuslupus wrote:*   

> Have you tried to use passwd to reset root's passwd?

 

Doesn't help...

----------

## pbienst

 *jtanner wrote:*   

> Incorrectly configured pam?  Empty password field in /etc/shadow? 
> 
> I'm just guessing....
> 
> Jim

 

/etc/shadow doesn't have empty passwd fields, and the only one changing the pam configuration should be emerge...

----------

## jtanner

How about other programs?  Can you log in as any user with a random password?  Can you ssh/ftp/telnet to the box as any user with a random password?

Jim

----------

## klieber

Check your /etc/suauth file.  That controls the behavior of su.  man suauth for more information. 

--kurt

----------

## pjp

 *pbienst wrote:*   

>  ... and the only one changing the pam configuration should be emerge...

 

You are using PAM then?  Have you checked its configuration to ensure emerge didn't 

affect something?

----------

## pbienst

 *jtanner wrote:*   

> How about other programs?  Can you log in as any user with a random password?  Can you ssh/ftp/telnet to the box as any user with a random password?
> 
> Jim

 

I don't have any ssh/ftp or telnet daemons running currently, but I can login as any user with any password, not only through su.

----------

## pbienst

 *klieber wrote:*   

> Check your /etc/suauth file.  That controls the behavior of su.  man suauth for more information. 
> 
> --kurt

 

This file didn't exist. I created one containing

```
root:ALL EXCEPT GROUP wheel:DENY
```

Didn't fix the problem...[/code]

----------

## pbienst

 *kanuslupus wrote:*   

>  *pbienst wrote:*    ... and the only one changing the pam configuration should be emerge... 
> 
> You are using PAM then?  Have you checked its configuration to ensure emerge didn't 
> 
> affect something?

 

Well, a test I tried was creating a file /etc/nologin, which indeed disabled new logins, so it seems that that part of PAM at least is running

----------

## pbienst

I'm at the end of my rope here: I unmerge pam and pam-login and then remerged them. Still no succes.

This is my /etc/pam.d/login

```

#%PAM-1.0

auth       required     /lib/security/pam_securetty.so

auth       required     /lib/security/pam_stack.so service=system-auth

auth       required     /lib/security/pam_nologin.so

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

session    optional     /lib/security/pam_console.so

```

----------

## csnyder

Are you trying to su as root?  Root is allowed to su to any account without a password.

Though it shouldn't prompt for a password then...

----------

## pbienst

No, I can su TO root as any user without any passwd

----------

## klieber

At the risk of stating the obvious, something PAM-related is borked on your system.  You might check out the PAM mailing list or the PAM home page to see if you can find any other information there.

--kurt

----------

## klieber

Another suggestion -- set PAM to log to it's own log and turn up the verbosity.  Might give you some pointers on what is happening.

--kurt

----------

## shawnf

had this same problem. didnt have to enter a password or any password would work to login or su.



fixed it by recompiling pam with lower optimizations.
  


Side note I am using GCC3


-Shawn

----------

## pbienst

Yep, dropping the optimisation level to -O2 solved the problem.

I've filed this a bug report, because I suspect many people who are using gcc 3.1 as their compiler have this problem and might not even be aware of the fact that they have a gaping security hole.

----------

## pjp

 *pbienst wrote:*   

> Yep, dropping the optimisation level to -O2 solved the problem.
> 
> I've filed this a bug report, because I suspect many people who are using gcc 3.1 as their compiler have this problem and might not even be aware of the fact that they have a gaping security hole.

 

Wow... that seems very strange to me.

----------

## delta407

From the FAQ:

 *Quote:*   

> Very aggressive optimizations sometimes cause the compiler to streamline the assembly code to the point where it doesn't quite do the same thing anymore.

 

This seems to apply to this particular package in a very bad way.  :Wink:  Perhaps the PAM maintainer could force -O2 if -O3 is given?

----------

