Christos Zoulas wrote:
> In article <423F88D5.9020700@rambler.ru>,  <sigsegv@rambler.ru> wrote:
> 
>>I've just installed base system from netbsd-3 tree and noticed users 
>>belonging to group 'wheel' can gain root access by running 'su', without 
>>password prompt.
>>Is this intentional?
> 
> 
> Obviously not. What does /etc/pam.d/su contain?
> 
> christos
> 
> 

Below are the contents of /etc/pam.d/su.
By the way, did you see my previous message where I posted the contents 
of /var/log/auth.log file? Why does the log show things like:

Mar 22 00:53:36 u10 su: in openpam_dynamic(): pam_rootok.so: 
pam_sm_acct_mgmt(): Undefined symbol "pam_sm_acct_mgmt"

Maybe this has something to do with it?

$ cat su
# $NetBSD: su,v 1.5 2005/03/01 16:28:46 christos Exp $
#
# PAM configuration for the "su" service
#

# auth
auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            sufficient      pam_ksu.so              no_warn 
try_first_pass
auth            requisite       pam_group.so            no_warn 
group=wheel root_only fail_safe
#auth           sufficient      pam_group.so            no_warn 
group=rootauth root_only fail_safe authenticate
auth            required        pam_unix.so             no_warn 
try_first_pass nullok

# account
account         required        pam_login_access.so
account         include         system

# session
session         required        pam_permit.so