[Pkg-shadow-devel] Bug#336218: marked as done (su should not ask root for a password)

Debian Bug Tracking System owner at bugs.debian.org
Sat Oct 29 02:48:27 UTC 2005 

Your message dated Sat, 29 Oct 2005 04:46:35 +0200
with message-id <20051029024634.GA7104 at nekral.homelinux.net>
and subject line Bug#336218: su should not ask root for a password
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Oct 2005 17:22:41 +0000
>From selecter at gmail.com Fri Oct 28 10:22:41 2005
Return-path: <selecter at gmail.com>
Received: from xproxy.gmail.com [66.249.82.205] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EVXw8-0007lG-00; Fri, 28 Oct 2005 10:22:41 -0700
Received: by xproxy.gmail.com with SMTP id h30so22195wxd
        for <submit at bugs.debian.org>; Fri, 28 Oct 2005 10:22:39 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
        b=mc1wFnVgkVCfYnvS07zTHdwDMoOeHJccoA2AN9La0wBVO94hpZsdo39KWoRcbPf0RS8SpMcJ2HSYokzXUob+3gVGFvfmw/3fwsXDUFORYWgLhajsu9qwTXcVPNkdL1hj3QYri86tLi+MUt1ZVluI8SQa3L5rC60oIJDil+h5Q5o=
Received: by 10.65.193.9 with SMTP id v9mr269887qbp;
        Fri, 28 Oct 2005 10:22:39 -0700 (PDT)
Received: by 10.64.204.16 with HTTP; Fri, 28 Oct 2005 10:22:39 -0700 (PDT)
Message-ID: <39f0215a0510281022x4d8d1b6bo at mail.gmail.com>
Date: Fri, 28 Oct 2005 20:22:39 +0300
From: Anton <selecter at gmail.com>
To: submit at bugs.debian.org
Subject: su should not ask root for a password
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: login
Version: 1:4.0.13-1

# LANG=3DC su anton
Password:
su: Permission denied
Sorry.

# LANG=3DC su ejabberd
Password:
su: Permission denied
Sorry.

---------------------------------------
Received: (at 336218-done) by bugs.debian.org; 29 Oct 2005 02:46:35 +0000
>From nicolas.francois at centraliens.net Fri Oct 28 19:46:35 2005
Return-path: <nicolas.francois at centraliens.net>
Received: from smtp6-g19.free.fr [212.27.42.36] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EVgjq-00018V-00; Fri, 28 Oct 2005 19:46:35 -0700
Received: from nekral (gam75-2-82-224-24-210.fbx.proxad.net [82.224.24.210])
	by smtp6-g19.free.fr (Postfix) with ESMTP id 589AC9551
	for <336218-done at bugs.debian.org>; Sat, 29 Oct 2005 04:46:33 +0200 (CEST)
Received: from fzt by nekral with local (Exim 4.54)
	id 1EVgjr-00031n-72
	for 336218-done at bugs.debian.org; Sat, 29 Oct 2005 04:46:35 +0200
Date: Sat, 29 Oct 2005 04:46:35 +0200
From: Nicolas =?iso-8859-1?Q?Fran=E7ois?= <nicolas.francois at centraliens.net>
To: 336218-done at bugs.debian.org
Subject: Re: Bug#336218: su should not ask root for a password
Message-ID: <20051029024634.GA7104 at nekral.homelinux.net>
References: <39f0215a0510281037j2bc193b6m at mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="NzB8fVQJ5HfG6fxh"
Content-Disposition: inline
In-Reply-To: <39f0215a0510281037j2bc193b6m at mail.gmail.com>
User-Agent: Mutt/1.5.11
Delivered-To: 336218-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02


--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hello,

This issue was fixed in 4.0.13-1.


It seems you also have this version.
Maybe you did not accept the changes for the /etc/pam.d/su file when you
installed this version.
(I attach the default file distributed in the Debian package to this mail).

The pam_rootok.so was raised to the first position.
(In comparison to your file, it also adds pam_env.so and pam_mail.so, and
pam_limits.so is commented by default)

If you're using unstable, 4.0.13-2 is available. You should be asked
to change your /etc/pam.d/su file when you will install this new package.

Kind Regards,
-- 
Nekral

--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=su

#
# The PAM configuration file for the Shadow `su' service
#

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so

# Uncomment this if you want wheel members to be able to
# su without a password.
# auth       sufficient pam_wheel.so trust

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session


# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session    optional   pam_mail.so nopen

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session    required   pam_limits.so

--NzB8fVQJ5HfG6fxh--

More information about the Pkg-shadow-devel mailing list