Date: Sun, 9 Nov 2003 09:26:48 -0500 From: krs@gaultopia.org To: freebsd-questions@freebsd.org Subject: Re: vulnerability in su? Message-ID: <20031109142648.GA2843@yttrium.gaultopia.org>
next in thread | raw e-mail | index | archive | help
On Sat, Nov 08, 2003 at 10:49:35PM -0800, Derrick Ryalls wrote: > > > > while recently cvsup'ing my box here at home, i had a weird > > thing happen... > > > > i had already built world, built and installed the kernel, > > installed world (including all > > appropriate reboots), and when i brought it back up, but > > prior to running mergemaster, i > > popped the jumper on the circuit the box is on. my ups is > > somewhat wimpy, and only lasts > > a couple minutes (the fuse trips all the time too.. stupid > > apartment wiring can't handle > > 2 computers and the washer and dryer at once =P ) so i made > > it a priority to go ahead and > > shut the box down. after fixing said jumper and bring the > > box back up i noticed that i > > could now su like a madman, without ever being prompted for > > passwords. i then remembered > > that i hadn't run mergemaster yet, so i ran it again and > > rebooted for safe measure and su > > started asking for passwords again. > > > > I think the only time this happens is if the root password is blank. It > is possible that one of your mergemaster runs put in the default root > password (blank). > > well, it wasn't just the root password... for example i was able to login to one of my non-wheel accounts, su to my personal account (which is in wheel), and then su right to root as well. in addition, none of the passwords were actually blank, because i actually plugged a monitor and keyboard into the box and logged in locally as root, which required me to put my password in. all of my accounts did, in fact. -kirt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031109142648.GA2843>