Default installation allows user to su to root without password after installing shadow-package

[kalaksi]

Hi,

This is basically the same problem as with #101, but this time it requires the installation of the shadow-package.
It seems that by default /bin/su is a link to busybox which does not have the SUID bit set so the empty root password is not an issue. However, the situation silently changes if the user installs the shadow-package for user account management. This was a major suprise to me when I noticed it and, IMHO, the correct way to fix this for good is to just disable the root password with '*'.

To demonstrate, here's how it happens:

$ docker run -it alpine:3.8 sh
/ # ls -l /bin/su
lrwxrwxrwx    1 root     root            12 Jul  5 14:47 /bin/su -> /bin/busybox
/ # ls -l /bin/busybox
-rwxr-xr-x    1 root     root        796312 May 30 10:46 /bin/busybox
/ # apk --no-cache add shadow
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.8/community/x86_64/APKINDEX.tar.gz
(1/2) Installing linux-pam (1.3.0-r0)
(2/2) Installing shadow (4.5-r0)
Executing busybox-1.28.4-r0.trigger
OK: 7 MiB in 15 packages
/ # ls -l /bin/su
-rwsr-xr-x    1 root     root         36560 May 19 11:19 /bin/su

It may as well be linux-pam that does it but that's beside the point. Let me know if you need more information.

[dbjpanda]

I can confirm the issue.

[ncopa]

This has been fixed with: docker-library/official-images#5516

Thanks!

[ncopa]

For the record, the upstream commit fixing the issue is:
https://git.alpinelinux.org/aports/commit/?id=7a2566ec8260ceacae81088ebe2ffe6526c3809e