vulnerability in su?

Derrick Ryalls ryallsd at
Sat Nov 8 22:47:46 PST 2003

> while recently cvsup'ing my box here at home, i had a weird 
> thing happen...
> i had already built world, built and installed the kernel, 
> installed world (including all 
> appropriate reboots), and when i brought it back up, but 
> prior to running mergemaster, i 
> popped the jumper on the circuit the box is on.  my ups is 
> somewhat wimpy, and only lasts 
> a couple minutes (the fuse trips all the time too.. stupid 
> apartment wiring can't handle 
> 2 computers and the washer and dryer at once =P ) so i made 
> it a priority to go ahead and 
> shut the box down.  after fixing said jumper and bring the 
> box back up i noticed that i 
> could now su like a madman, without ever being prompted for 
> passwords.  i then remembered 
> that i hadn't run mergemaster yet, so i ran it again and 
> rebooted for safe measure and su 
> started asking for passwords again.

I think the only time this happens is if the root password is blank.  It
is possible that one of your mergemaster runs put in the default root
password (blank).

More information about the freebsd-questions mailing list