vulnerability in su?
krs at gaultopia.org
krs at gaultopia.org
Sun Nov 9 06:26:52 PST 2003
On Sat, Nov 08, 2003 at 10:49:35PM -0800, Derrick Ryalls wrote:
> >
> > while recently cvsup'ing my box here at home, i had a weird
> > thing happen...
> >
> > i had already built world, built and installed the kernel,
> > installed world (including all
> > appropriate reboots), and when i brought it back up, but
> > prior to running mergemaster, i
> > popped the jumper on the circuit the box is on. my ups is
> > somewhat wimpy, and only lasts
> > a couple minutes (the fuse trips all the time too.. stupid
> > apartment wiring can't handle
> > 2 computers and the washer and dryer at once =P ) so i made
> > it a priority to go ahead and
> > shut the box down. after fixing said jumper and bring the
> > box back up i noticed that i
> > could now su like a madman, without ever being prompted for
> > passwords. i then remembered
> > that i hadn't run mergemaster yet, so i ran it again and
> > rebooted for safe measure and su
> > started asking for passwords again.
> >
>
> I think the only time this happens is if the root password is blank. It
> is possible that one of your mergemaster runs put in the default root
> password (blank).
>
>
well, it wasn't just the root password... for example i was able to login to
one of my non-wheel accounts, su to my personal account (which is in wheel),
and then su right to root as well. in addition, none of the passwords were
actually blank, because i actually plugged a monitor and keyboard into the box
and logged in locally as root, which required me to put my password in. all
of my accounts did, in fact.
-kirt
More information about the freebsd-questions
mailing list