From nobody@FreeBSD.org  Fri Apr  6 02:11:13 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 6DB9037B449
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 Apr 2001 02:11:12 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f369BCp18452;
	Fri, 6 Apr 2001 02:11:12 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200104060911.f369BCp18452@freefall.freebsd.org>
Date: Fri, 6 Apr 2001 02:11:12 -0700 (PDT)
From: sw@anthologeek.net
To: freebsd-gnats-submit@FreeBSD.org
Subject: PAMized su allows non-wheel members to su root
X-Send-Pr-Version: www-1.0

>Number:         26375
>Category:       bin
>Synopsis:       PAMized su allows non-wheel members to su root
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 06 02:20:01 PDT 2001
>Closed-Date:    Tue Mar 29 12:02:33 GMT 2005
>Last-Modified:  Tue Mar 29 12:02:33 GMT 2005
>Originator:     Sameh Ghane
>Release:        5.0-CURRENT
>Organization:
>Environment:
FreeBSD core.pourIX.net 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Apr  2 12:17:20 CEST 2001     root@core.pourIX.net:/usr/src/sys/compile/CORE  i386

>Description:
Compiling su.c without NOPAM, generate a binary that allows anyone to su root without the wheel-group check.
>How-To-Repeat:
# cd /usr/src/usr.bin/su
# make
# ./su <non-wheel-member-user>
$ su
Password:
#
>Fix:
Compiled with the NOPAM option disable PAM authentication, and disallows users to su root if they are not in group wheel.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->markm 
Responsible-Changed-By: dd 
Responsible-Changed-When: Sat Apr 28 20:16:01 PDT 2001 
Responsible-Changed-Why:  
markm PAMized su. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26375 

From: David Malone <dwmalone@maths.tcd.ie>
To: sw@anthologeek.net
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/26375: PAMized su allows non-wheel members to su root
Date: Mon, 30 Apr 2001 10:21:42 +0100

 On Fri, Apr 06, 2001 at 02:11:12AM -0700, sw@anthologeek.net wrote:
 > >Number:         26375
 > >Category:       bin
 > >Synopsis:       PAMized su allows non-wheel members to su root
 
 On our Redhat boxes we have to use:
 
 auth       required     /lib/security/pam_wheel.so group=wheel use_uid
 
 to get the BSD style behaviour for su. However, we don't have
 pam_wheel.so. Also, I think /var/run/nologin no longer works for
 rlogin and maybe some other programs, and we have no pam nologin
 module to fix this.
 
 	David.

From: Kris Kennaway <kris@obsecurity.org>
To: sw@anthologeek.net
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/26375: PAMized su allows non-wheel members to su root
Date: Sun, 8 Jul 2001 14:33:42 -0700

 --ZGiS0Q5IWpPtfppv
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Fri, Apr 06, 2001 at 02:11:12AM -0700, sw@anthologeek.net wrote:
 
 > Compiling su.c without NOPAM, generate a binary that allows anyone to su root without the wheel-group check.
 > >How-To-Repeat:
 > # cd /usr/src/usr.bin/su
 > # make
 > # ./su <non-wheel-member-user>
 > $ su
 > Password:
 > #
 
 This is an intended feature of PAM; the "wheel" policy is now
 configurable in /etc/pam.conf.  Check that you have the latest version
 of this file.  In particular:
 
 # "Standard" su(1) policy.
 #su     auth    sufficient      pam_kerberosIV.so
 #su     auth    sufficient      pam_krb5.so
 su      auth    sufficient      pam_rootok.so
 su      auth    requisite       pam_wheel.so            use_uid
 su      auth    required        pam_unix.so             try_first_pass nullok
 #su     account required        pam_kerberosIV.so
 #su     account required        pam_krb5.so
 su      account required        pam_unix.so
 #su     session required        pam_kerberosIV.so
 #su     session required        pam_krb5.so
 su      password required       pam_permit.so
 su      session required        pam_permit.so
 
 Note the pam_rootok and pam_wheel line, which enforces the "wheel" policy.
 
 Kris
 
 --ZGiS0Q5IWpPtfppv
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE7SNG1Wry0BWjoQKURAue4AKDjfEWS6+xb+gK30M+MEzME3Ztc6ACeIa8k
 J1y8VgVSMnbh4aaeZTgJMKY=
 =zr9T
 -----END PGP SIGNATURE-----
 
 --ZGiS0Q5IWpPtfppv--
Responsible-Changed-From-To: markm->des 
Responsible-Changed-By: markm 
Responsible-Changed-When: Mon Mar 28 13:01:47 GMT 2005 
Responsible-Changed-Why:  
Over to Mr. PAM 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26375 
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Tue Mar 29 12:02:32 GMT 2005 
State-Changed-Why:  
OBE 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26375 
>Unformatted:
