http://bugzilla.novell.com/show_bug.cgi?id=556077#c0 Summary: su from root fails for locked accounts Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86 OS/Version: openSUSE 11.2 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: kq8z67r6309fo9001@sneakemail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4 In 11.2, su refuses to switch to any account which is locked/disabled (starts with "!" in /etc/shadow), even when run as root. This is at least quite different to previous versions, as well as every other *nix. It is probably also incorrect, as there does not seem to be any documentation of this fact in passwd(5), shadow(5), or su(1). /etc/pam.d/su-l has: #%PAM-1.0 auth sufficient pam_rootok.so auth include common-auth account include common-account password include common-password session include common-session session optional pam_xauth.so as before, so one would really believe this should work. As many of the system/daemon accounts are "!", and at least some (e.g. postgres) must be su'd to from time to time, this does not work out well. Replacing the su binary with an older version doesn't help, so the problem is probably occuring someplace else (pam_rootok?). Reproducible: Always Steps to Reproduce: 1. # su - postgres Actual Results: su: incorrect password Expected Results: postgres@host:~> -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.