LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   users can access root withouh being asked for a password (https://www.linuxquestions.org/questions/linux-newbie-8/users-can-access-root-withouh-being-asked-for-a-password-355316/)

amer_58 08-20-2005 07:31 PM

users can access root withouh being asked for a password
 
after solving a little problem that i had before it seems that users can run "su" without bing asked for a password.

well this what I have done before
chown user /etc/shadow /etc/passwd
chmod 740 /etc/shadow /etc/passwd

what i did up to now is this:

root@Admin:/home/moderator# chmod 740 /etc/passwd /etc/shadow
root@Admin:/dev# ls -l /etc/passwd /etc/shadow
-rwxr----- 1 root root 765 2005-08-20 11:31 /etc/passwd
-rwxr----- 1 root shadow 567 2005-08-20 11:41 /etc/shadow

but still users can access root without being asked for the root password, anyhelp?

saman007uk 08-20-2005 07:53 PM

using su does not have ANY relation whatsoever to the /etc/passwd file. Users can become root because there is no root passwod set - set one. If you don't want a root password (which is discouraged), disable the SUID bit on it using the following command (this means that nobody can use su successfully, even if they know the password:

Code:

chmod u-s /bin/su

amer_58 08-20-2005 08:05 PM

I did change the password but still can access:

root@Admin:~# passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 127 characters)
Please use a combination of upper and lower case letters and numbers.
New password:
Re-enter new password:
Password changed.
root@Admin:~# exit
exit
moderator@Admin:~$ su
root@Admin:/home/moderator#

saman007uk 08-20-2005 08:15 PM

Make sure the password is non-blank. If it oesn't work, remove teh SUID bit.

Or, even remove the package that provides it or delete the binary.

btmiller 08-21-2005 12:56 AM

Also, check /etc/pam.d/pam.su (which controls authentication for su assuming you are using pluggable authentication modules, which you should be if you're using Debian or Ubuntu) and make sure that you don't have something dset that just allows all access (post contents of the file if you can't decipher it, since it can be a bit tricky).


All times are GMT -5. The time now is 11:29 PM.