Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: make su work after installing shadow-4.0.5
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
funeagle
Tux's lil' helper
Tux's lil' helper


Joined: 05 Aug 2003
Posts: 102
Location: London

PostPosted: Thu Nov 04, 2004 10:53 am    Post subject: HOWTO: make su work after installing shadow-4.0.5 Reply with quote

If you install sys-apps/shadow-4.0.5 and you etc-update you might get the following error message when trying to su to root:
Code:
You are not authorized to su root


Then you have to edit /etc/login.defs and set:
Code:
SU_WHEEL_ONLY   no
Back to top
View user's profile Send private message
nixnut
Bodhisattva
Bodhisattva


Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains

PostPosted: Thu Nov 04, 2004 3:00 pm    Post subject: Reply with quote

Bad idea. Better add only the users that you want to be able to su to the wheel group in /etc/group
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered

talk is cheap. supply exceeds demand
Back to top
View user's profile Send private message
BWoso
l33t
l33t


Joined: 31 Dec 2003
Posts: 920
Location: Cleveland Ohio, USA

PostPosted: Thu Nov 04, 2004 3:47 pm    Post subject: Reply with quote

I am a little confused on the problem here. In another thread one person said that they had this error while trying to su but that they were in the wheel group. So if making being in the wheel group not a necessity how did that fix his problem (I pointed him to this post and it worked). So he was in the wheel group, couldn't su, made being in the wheel group not needed, and it worked. I just don't understand why that works.
_________________
I think that the forums are the greatest thing about Gentoo, thanks to everyone that posts on them!

The best way to cheer yourself up is to try to cheer somebody else up.
-Mark Twain-
Back to top
View user's profile Send private message
gentoo4erik
n00b
n00b


Joined: 04 Nov 2004
Posts: 12

PostPosted: Thu Nov 04, 2004 8:00 pm    Post subject: Reply with quote

Same here.
Adding to wheel group does not work

Looking at the comments in /etc/login.defs it says that you have to add your name at gid 0 (root !)

is that the right way ?
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Thu Nov 04, 2004 8:14 pm    Post subject: Reply with quote

A better solution is to simply re-sync and update to the newest shadow version.

sys-apps/shadow-4.0.5-r2 is the current, updated version.
Back to top
View user's profile Send private message
gentoo4erik
n00b
n00b


Joined: 04 Nov 2004
Posts: 12

PostPosted: Thu Nov 04, 2004 8:20 pm    Post subject: Reply with quote

I allready emerged sys-apps/shadow-4.0.5-r2

The behaviour I described, happened with shadow-4.0.5-r2
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Thu Nov 04, 2004 8:28 pm    Post subject: Reply with quote

Strange. I can su and I'm using shadow-4.0.5-r2

edit: But my problem with shadow-4.0.5 was having PAM authentication errors whenever trying to do usermanagement stuff.
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Thu Nov 04, 2004 8:35 pm    Post subject: Reply with quote

It seems this bug has come back

https://bugs.gentoo.org/show_bug.cgi?id=56129
programs not setuid root

Im guessing this is the related problem.
Back to top
View user's profile Send private message
gentoo4erik
n00b
n00b


Joined: 04 Nov 2004
Posts: 12

PostPosted: Thu Nov 04, 2004 8:36 pm    Post subject: Reply with quote

Indeed very strange.

With sys-apps/shadow-4.0.5-r1 I had no problems. I never added myself to wheel-group and could allways use su.

Maybe relevant. Userflag = -pam

I still think the commend lines in /etc/login.defs are strange:
Code:
# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts.  If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.


nothing about wheel-group.

Groetjes,

Erik
Back to top
View user's profile Send private message
Martin.Jansa
n00b
n00b


Joined: 09 Mar 2004
Posts: 55
Location: Prague

PostPosted: Thu Nov 04, 2004 9:54 pm    Post subject: Reply with quote

gentoo4erik wrote:
Maybe relevant. Userflag = -pam

+pam works for me with -r2
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Fri Nov 05, 2004 4:30 am    Post subject: Reply with quote

gentoo4erik wrote:
I never added myself to wheel-group and could allways use su.


Isn't that a considered a security risk?
Back to top
View user's profile Send private message
TyroneSlothrop
n00b
n00b


Joined: 27 Sep 2003
Posts: 39
Location: Franconia, Central Europe

PostPosted: Fri Nov 05, 2004 12:30 pm    Post subject: solution Reply with quote

I had the same problem since the security update of shadow.

Simple solution:
Just reemerge pam-login, shadow installed a bad (?) version of /etc/login.defs.

Strange that those packages share some files, /usr/share/man/man1/login.1.gz would be another example. Are you even supposed to have them installed at once? If yes, it smells like a bug.
_________________
warning: potentially offensive but true nonetheless...
Back to top
View user's profile Send private message
Batsi
n00b
n00b


Joined: 30 Mar 2004
Posts: 13
Location: Munich, Germany

PostPosted: Fri Nov 05, 2004 7:36 pm    Post subject: Reply with quote

Oooh, icky.
I had that problem on my Sun today which stands a bit far away without keyboard or monitor connected.
And so I first had to organize a Sun Keyboard. :evil:

@TyroneSlothrop: Thanks a lot. Re-emerging pam brought success.

But now I will add a few more privileges to my non-root account. :D
Back to top
View user's profile Send private message
gentoo4erik
n00b
n00b


Joined: 04 Nov 2004
Posts: 12

PostPosted: Sat Nov 06, 2004 7:20 am    Post subject: Reply with quote

Hoi TyroneSlothrop,

Also thanks, this helped.

Strange, that both shadow and pam-login install /etc/login.defs. But that the files differ.

Groetjes,

Erik
Back to top
View user's profile Send private message
DeZZa
n00b
n00b


Joined: 08 Apr 2004
Posts: 58
Location: Denmark, Aalborg

PostPosted: Tue Nov 09, 2004 4:23 pm    Post subject: Reply with quote

I re-emerged pam-login and it worked yesterday, but now i only get a "Sorry." message, i'm 100% sure that it is the correct password ..

[EDIT:] Changed /bin/su to 4711 from 711 ..
Back to top
View user's profile Send private message
hielvc
Advocate
Advocate


Joined: 19 Apr 2002
Posts: 2805
Location: Oceanside, Ca

PostPosted: Tue Nov 09, 2004 6:20 pm    Post subject: Reply with quote

Boot cd DeZZa :?: Thanks you all. This thread reminded its time to back up /etc :lol:
_________________
An A-Z Index of the Linux BASH command line
Back to top
View user's profile Send private message
r8dhex
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jul 2002
Posts: 120

PostPosted: Mon Nov 22, 2004 6:10 am    Post subject: Reply with quote

ok, i was having the same problems after emerging shadow-4.0.5-r2, I re-emerged pam-login, and replaced login.defs, which fixed the "not authorized to su" problem. However, pam-login's login.defs doesn't have the line "SU_WHEEL_ONLY", so anyone can now su, which is still not the expected behavior.

It seems that SU_WHEEL_ONLY requires the wheel group to be gid 0, from what i understand from the comments. Has anyone figured out how to fix the "not authorized to su" problem, while still keeping su powers within the wheel group?
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20053

PostPosted: Mon Nov 22, 2004 3:54 pm    Post subject: Reply with quote

Moved from Installing Gentoo.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
r8dhex
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jul 2002
Posts: 120

PostPosted: Thu Nov 25, 2004 4:21 am    Post subject: Reply with quote

bump, since this hasn't been resolved completely yet, i think
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Thu Nov 25, 2004 4:32 am    Post subject: Reply with quote

The problem I'm seeing most of the people talk about is this:

Before the update they could su to root regardless of if they were in the wheel group or not, and now that they performed the update they can't. And as far as I know, the former (su-ing regardless of group membership) is incorrect behavior for the system.
Back to top
View user's profile Send private message
Sunny HiPPiE
n00b
n00b


Joined: 28 Nov 2004
Posts: 1
Location: Lithuania

PostPosted: Sun Nov 28, 2004 8:33 pm    Post subject: Reply with quote

Quote:
It seems that SU_WHEEL_ONLY requires the wheel group to be gid 0, from what i understand from the comments. Has anyone figured out how to fix the "not authorized to su" problem, while still keeping su powers within the wheel group?


Another way is: you can list users, who can su root, in the root group, which gid by defaul is 0. It works at my machine. After the only change, that i added myuser to root group, myuser became able to su root.
Back to top
View user's profile Send private message
ZiGZaG
n00b
n00b


Joined: 02 Sep 2004
Posts: 9
Location: Naples-Italy

PostPosted: Mon Nov 29, 2004 12:40 pm    Post subject: Reply with quote

finally, i got the following results:

SU_WHEEL_ONLY no in /etc/login.defs lets my user su to root

the user won't su with yes in this field, also if myuser is added to the wheel group, and the following lines commented out in login.defs seems to explain why:

Code:

# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts.  If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.


The group those lines are talking about is NOT the wheel group, but the root's one. I won't add myuser to the root group, because on my notebook i've got just one user, and the "SU_WHEEL_ONLY no" solution is acceptable for me.

But what about my plans to make a server using gentoo at my office?

I just can't let all users able to su to root, because both local and remote security are very important in my environment..

no changes reemerging the shadow package with or without pam in the cflags..

i still think this is a security issue of the current version of gentoo, and i wish it's going to be fixed, because it seems a BIG security problem on those systems...

NOTE: my shadow version is -r2 and all packages on my system are up to date
_________________
ZiGZaG
Back to top
View user's profile Send private message
Malice
Tux's lil' helper
Tux's lil' helper


Joined: 13 Jun 2003
Posts: 78

PostPosted: Fri Dec 03, 2004 2:28 am    Post subject: Reply with quote

Bump.

Ditto here. User is member of wheel, but can't su to root.

So to summarize what has been said so far:

Adding the user to the root group solves the problem, but this is not such a good thing for security since your user account now has psuedo-escalated privileges, and it makes the wheel group redundant.

Changing the SU_WHEEL_ONLY variable in /etc/login.defs to no also lets you su to root, but again this isn't a very desirable solution since anyone can now attempt to su to root.

The suid bit on /bin/su and other related files are set on my brandspanking new install so I don't think the bug in the shadow ebuild mentioned above is causing the problem (for me at least).

I have built everything with USE='-pam' if that makes a difference.

Ideas?

Edit: I'm starting to get the idea that pam is pretty much a necessity to make this work properly. This sucks, since I had conscously decided not to use pam. Oh well, maybe I'll bite the bullet and reemerge a with pam.
Back to top
View user's profile Send private message
hielvc
Advocate
Advocate


Joined: 19 Apr 2002
Posts: 2805
Location: Oceanside, Ca

PostPosted: Fri Dec 03, 2004 3:44 am    Post subject: Reply with quote

Did you check bugs.gentoo.org?
_________________
An A-Z Index of the Linux BASH command line
Back to top
View user's profile Send private message
ZiGZaG
n00b
n00b


Joined: 02 Sep 2004
Posts: 9
Location: Naples-Italy

PostPosted: Fri Dec 03, 2004 12:18 pm    Post subject: Reply with quote

well hielvc i did.. but i didn't see a solution. is there any? 8O
_________________
ZiGZaG
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum