# Su without password prompt in jail???



## mrxxxxrm (Oct 2, 2009)

Hi everybody,

at the begining, sorry for bad English. 

I had wierd problem few minutes ago, which I can't reproduce, but wanted to share with you.

I have FreeBSD 7.2-RELEASE-p3 server with 2 jails on it and both jails have running sshd. After configuring first jail I logged on it using ssh as user, doing "su -" to root I was prompted for password and everything was fine. When logged to second jail using sshd, doing "su -" gave me root without password prompt!
Just to notice, main host and both jails have same password, but anyway it should prompt for root password.

After that I changed root password in jail1 and then changed it back and since then "su" is prompting for password.

```
[user@jail1 ~]$ strace -s 128 su -
execve(0xbfbfe83c, [0xbfbfed10], [/* 0 vars */][root@jail1 ~]#
[root@jail1 ~]# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
[root@server ~]#

FreeBSD server.domain.com 7.2-RELEASE-p3 FreeBSD 7.2-RELEASE-p3 #4: Tue Sep 29 16:02:27 CEST 2009     [email]root@server.domain.com[/email]:/usr/obj/usr/src/sys/KERNEL  i386

[root@jail1 ~]# bash --version
GNU bash, version 4.0.33(0)-release (i386-portbld-freebsd7.2)
```
I'm using FreeBSD and jails for years and never had such problem. Did anyone of you have problem like this?

Best regards,

M


----------



## vivek (Oct 2, 2009)

May be you forgot to set root password for jail root user.


----------



## mrxxxxrm (Oct 2, 2009)

You are right, I forgot probably. 

Moderator, please delete this thread.


----------



## anomie (Oct 2, 2009)

Actually, I don't think this thread should be deleted. It brings up a very good point. 

After following the steps in jail(8) to create a new jail, you should have set a root password. 

This is because the brand spanking new jail contains an /etc/master.passwd entry like this: 

```
root::0:0::0:0:Charlie &:/root:/bin/csh
```

No root password at all, which of course results in the behavior your noticed. 

So a password will need to be set, or at very least, use vipw(8) to modify the entry like so: 

```
root:!:0:0::0:0:Charlie &:/root:/bin/csh
```

(That will not match any hash, so no one can su to root.)


----------



## DutchDaemon (Oct 3, 2009)

I agree, that's why I left it here.


----------

