User profile for user: jfleming
jfleming Author
User level: Level 1
8 points

Can't su to user with blank password

I'm pretty sure this used to work. I'm not sure when it stopped working, but I suspect it was when I upgraded to 10.5.

I can no longer su to an account that has no password. I can su just fine to accounts that have passwords, but when I try to su to the passwordless accounts I just get "su: Sorry". I'm just hitting Enter when su prompts me for the password.

All I can find in the logs when I attempt the su is "pam_authenticate: Authentication failure" in secure.log.

I took a look at /etc/pam.d/su, but I'm really not up to speed on how pam works, exactly. Anyway, that file looks like this:

\# su: auth account session
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid group=admin group=wheel
auth sufficient pam_securityserver.so
auth sufficient pam_unix.so
auth required pam_deny.so
account required pam_permit.so
session required pam_permit.so

Is there anything in there saying "don't allow su for accounts with no password"? I'm guessing not, since there's no "password" line in there, but maybe one of those "auth" ones is stopping it. The accounts I can't su to are non-admin accounts, but one of the accounts (with a password) that I can su to is also a non-admin account.

Is this something that was disabled at some point? As I said, I'm almost positive I could su to these passwordless accounts before.

Thanks.

Message was edited by: jfleming

iMac, Mac OS X (10.5.1)

Posted on Dec 6, 2007 1:29 PM

Reply
9 replies
User profile for user: Camelot
Camelot
User level: Level 9
58,329 points

Dec 6, 2007 6:15 PM in response to jfleming

I can't say why it doesn't work, other than it's a really bad idea to have any account on the machine with no password and I truly HOPE that the OS is smart enough to lock out that account as a result.

Why do you need an account on the machine with no password? What do you think you're gaining by doing that? (and, more importantly, what do you think you gain that outweighs the risks?)
Reply
User profile for user: jfleming
jfleming Author
User level: Level 1
8 points

Dec 6, 2007 7:05 PM in response to Camelot

Camelot wrote:
I can't say why it doesn't work, other than it's a really bad idea to have any account on the machine with no password and I truly HOPE that the OS is smart enough to lock out that account as a result.


What are you on about? Lock out the account because it doesn't have a password? If you hope the OS is that "smart", why would it let me create an account with no password in the first place?

Why do you need an account on the machine with no password? What do you think you're gaining by doing that? (and, more importantly, what do you think you gain that outweighs the risks?)


Well, that way I don't have to type in a password when I log in. I would have thought that would be obvious. Can you explain to me why my non-admin account on my home computer needs a password? What do you perceive the risks to be, exactly?

Wait a minute, you do know what "su" is, right? You don't think I'm talking about "sudo", do you?
Reply
User profile for user: Camelot
Camelot
User level: Level 9
58,329 points

Dec 6, 2007 10:15 PM in response to jfleming

Well, that way I don't have to type in a password when I log in


So why not set the system to automatically log you in when the machine boots? You can do this via System Preferences -> Accounts -> Login options.

If you're accessing the system remotely, which protocol are you using? Some, like SSH, offer key-based login so that you can log in without a password. Others, like AFP, will use the keychain on the client to record the password.

Can you explain to me why my non-admin account on my home computer needs a password


Have you ever heard of a buffer overflow? It's the commonest vector used by hackers to compromise systems into running code they're not supposed to be able to. By giving remote users access to your machine without a password you're removing the first (and often the hardest) barrier.
And before you say no one else can log into your machine, are you sure of that? Are you using a wireless network? what about other users on your LAN? Do you ever browse the web? (or course you do), what about playing QuickTime movies (there's a recently discovered exploit in QuickTime).
Sure, Macs are generally more secure than certain other operating systems, but they're not immune, and some of that security is based on the premise that you need a password to log into the system.

Wait a minute, you do know what "su" is, right? You don't think I'm talking about "sudo", do you?


Yes, I know the difference.
Reply
User profile for user: jfleming
jfleming Author
User level: Level 1
8 points

Dec 6, 2007 11:43 PM in response to Camelot

Camelot wrote:
Have you ever heard of a buffer overflow? It's the commonest vector used by hackers to compromise systems into running code they're not supposed to be able to. By giving remote users access to your machine without a password you're removing the first (and often the hardest) barrier.


OK, well, maybe a misunderstanding occurred here. Remote users can't access my machine without a password. There is only one user that is allowed to SSH in and that user does have a (strong) password. I also have sshd running on a non-standard port (and I am aware of the old "security by obscurity" saw, but active hackers are a lot rarer than passive ones, in my experience, and it cuts down on junk in my log files). The SSH user is not a privileged user. When I SSH in as that user, I can then su to a privileged user (with a password), but I would also like to be able to su to non-privileged users (without passwords). I'm pretty sure this used to work, but it doesn't anymore.

And before you say no one else can log into your machine, are you sure of that? Are you using a wireless network?


Yes, a closed one using WPA2 and MAC address access control.

what about other users on your LAN?


There are none.

Do you ever browse the web? (or course you do), what about playing QuickTime movies (there's a recently discovered exploit in QuickTime).


I'm not sure how having a password on my account would protect me from QuickTime or web-based exploits. Do they prompt you for a password before they exploit you? 🙂 I don't mean to sound snarky, I'm truly ignorant. Would a password protect me from a QuickTime zero-day?

Wait a minute, you do know what "su" is, right? You don't think I'm talking about "sudo", do you?


Yes, I know the difference.


OK, I was just checking. I thought maybe you were thinking I had an sudoer with no password. That would obviously be very foolish.

I appreciate your concerns, but I'm pretty confident that I'm not going to get hacked, and if I do, it won't be because there's no password on my everyday, non-privileged, no-direct-remote-access account. So, anybody have any input on the su issue? Or am I the only fool out there without a password? 😉
Reply
User profile for user: Nils C. Anderson
Nils C. Anderson
User level: Level 4
3,495 points

Dec 7, 2007 4:36 AM in response to jfleming

I think that it's the pam_wheel.so line that appears to be keeping this from working.

from pam_wheel(8)

Wheel Authentication Module
The Wheel authentication component (pam smauthenticate()), permit
authentication to members of a group, which defaults to ``wheel''.

group=foo checking for membership of group foo instead of the default
group ``wheel''.

found at:

http://www.opensource.apple.com/darwinsource/10.5/pammodules-35/pamwheel/

just my 2¢
Reply
User profile for user: Camelot
Camelot
User level: Level 9
58,329 points

Dec 7, 2007 9:45 AM in response to jfleming

Remote users can't access my machine without a password


Are you sure?
How are you controlling that?

By default, when you turn on SSH, any account on the system (at least that has a valid shell) can log in.

There are ways of locking it down to specific users, but you have to go out of your way to do so, and ensure that your changes are retained through software updates.
I still maintain it's an unwise choice.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Can't su to user with blank password

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up