# system allowing su to root from non-wheel



## chavez243ca (Nov 11, 2010)

I've discovered something a bit odd - created a user, started with them in the staff group.  I noticed that after I ssh'd in as this user I was able to su to root - so I removed them from staff and put them in guest - same behaviour.

I checked /etc/pam.d/su and compared against another system and it seems fine.



```
FreeBSD xxxxxxxx 7.2-RELEASE-p8 FreeBSD 7.2-RELEASE-p8 #0: Wed May 26 03:08:50 UTC 2010     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
```


----------



## chavez243ca (Nov 11, 2010)

*additional detail*

contents of /etc/pam.d/su


```
# PAM configuration for the "su" service
#

# auth
auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe
auth            include         system

# account
account         include         system

# session
session         required        pam_permit.so
```


----------



## aragon (Nov 11, 2010)

Unable to reproduce on 7.1:


```
$ id
uid=1004(fsck) gid=20(staff) groups=20(staff)
$ su
su: Sorry
$ uname -a
FreeBSD x.geek.sh 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #0: Fri Feb  6 02:10:39 SAST 2009     root@x.geek.sh:/usr/src/sys/i386/compile/X  i386
```

Same goes for 8.1...

Maybe your PAM libraries have been modified?


----------



## luna (Nov 11, 2010)

Does *wheel* group even exist in /etc/group?
	
	



```
$ man [man]pam_group[/man]
     [b]fail_safe[/b]  If the specified group does not exist, or has no members, act
                as if it does exist and the applicant is a member.
```


----------



## chavez243ca (Nov 12, 2010)

Strange - I've created several accounts now to test this and they all can su, did the same on a 7.3 box I have and it works as expected.

...rebuilding world


----------



## Savagedlight (Nov 12, 2010)

As luna posted; If the wheel group doesn't exist, or don't have any members, anyone has access to su.
Did you check if either of those conditions apply?


----------



## chavez243ca (Nov 12, 2010)

Yes - this issued appear to be the lack of entries in /etc/group for wheel - wheel did exist, but strangely was missing any members.  Noticed this when I ran mergemaster.

Thanks - solved.


----------

