GitLab

On systems using linux-pam, where a more restrictive authentication mechanism is used—such as pam_yubico.so—the Busybox binaries /bin/su and /bin/login are not PAM-aware and bypass the PAM configuration. This may be a vulnerability on some systems, since su cannot be disabled without also disabling its multi-call binary /bin/bbsuid.

Busybox could be built with PAM support by setting CONFIG_PAM=y in its configuration. Adding the packages busybox-pam and busybox-suid-pam would fix the issue.

Alternatively, the shadow package is PAM aware and provides replacement binaries for su, login, passwd, and chpasswd. But removing busybox-suid is still problematic, and as long as it's available on the system, it may be a vulnerability.