View previous topic :: View next topic |
Author |
Message |
oezi n00b
Joined: 20 Feb 2004 Posts: 5
|
Posted: Fri Feb 20, 2004 9:18 pm Post subject: Su problem - Wheel okay, SUID okay - [resolved] |
|
|
Hey everybody!
I finally resort to the forum since I really can't figure it out.
Output from doing su:
Code: |
bash-2.05b$ su
Password:
su: Authentication failure
Sorry.
|
(and yes the password I enter is root's passwd)
Output of call to 'groups'
Code: |
bash-2.05b$ groups
wheel audio users slocate
|
From 'group':
Code: |
HisTop etc # less group | grep wheel
wheel:x:10:root,oezi,temp
|
Passwd file:
Code: |
HisTop log # less /etc/passwd | grep oezi
oezi:x:1000:100::/home/oezi:/bin/bash
|
Access rights:
Code: |
HisTop log # ls -l /etc/passwd /etc/shadow /bin/su /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 24304 Feb 20 04:36 /bin/su
-rw-r--r-- 1 root root 1867 Feb 8 16:48 /etc/passwd
-rw------- 1 root root 533 Feb 8 16:48 /etc/shadow
-r-sr-xr-x 1 root root 19088 Feb 20 04:55 /sbin/unix_chkpwd
|
Pam file:
Code: |
HisTop etc # cat pam.d/su
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
# Uncomment this to allow users in the wheel group to su without entering a passwd.
#auth sufficient /lib/security/pam_wheel.so use_uid trust debug
# Comment this to allow any user, even those not in the 'wheel' group to su
auth required /lib/security/pam_wheel.so use_uid debug
auth required /lib/security/pam_stack.so service=system-auth debug
account required /lib/security/pam_stack.so service=system-auth debug
password required /lib/security/pam_stack.so service=system-auth debug
session required /lib/security/pam_stack.so service=system-auth debug
session optional /lib/security/pam_xauth.so
|
From /var/log/messages:
Code: |
Feb 20 06:05:35 HisTop PAM-Wheel[7341]: Ignoring access request 'oezi' for 'root'
Feb 20 06:05:35 HisTop pam_stack[7341]: called for "PAM_AUTHENTICATE"
Feb 20 06:05:35 HisTop pam_stack[7341]: called from "su"
Feb 20 06:05:35 HisTop pam_stack[7341]: initializing
Feb 20 06:05:35 HisTop pam_stack[7341]: creating child stack `system-auth'
Feb 20 06:05:35 HisTop pam_stack[7341]: creating environment
Feb 20 06:05:35 HisTop pam_stack[7341]: NOT passing PAM_AUTHTOK to child: source is NULL
Feb 20 06:05:35 HisTop pam_stack[7341]: passing PAM_CONV to child
Feb 20 06:05:35 HisTop pam_stack[7341]: NOT passing PAM_FAIL_DELAY to child: source not set
Feb 20 06:05:35 HisTop pam_stack[7341]: NOT passing PAM_OLDAUTHTOK to child: source is NULL
Feb 20 06:05:35 HisTop pam_stack[7341]: NOT passing PAM_RHOST to child: source is NULL
Feb 20 06:05:35 HisTop pam_stack[7341]: passing PAM_RUSER to child
Feb 20 06:05:35 HisTop pam_stack[7341]: passing PAM_SERVICE to child
Feb 20 06:05:35 HisTop pam_stack[7341]: passing PAM_TTY to child
Feb 20 06:05:35 HisTop pam_stack[7341]: passing PAM_USER to child
Feb 20 06:05:35 HisTop pam_stack[7341]: NOT passing PAM_USER_PROMPT to child: source is NULL
Feb 20 06:05:35 HisTop pam_stack[7341]: passing data to child
Feb 20 06:05:35 HisTop pam_stack[7341]: calling substack
Feb 20 06:05:39 HisTop unix_chkpwd[7342]: check pass; user unknown
Feb 20 06:05:39 HisTop su(pam_unix)[7341]: authentication failure; logname= uid=1000 euid=1000 tty=pts/0 ruser=oezi rhost= user=root
Feb 20 06:05:39 HisTop pam_stack[7341]: substack returned 7 (Authentication failure)
Feb 20 06:05:39 HisTop pam_stack[7341]: passing PAM_AUTHTOK to parent
Feb 20 06:05:39 HisTop pam_stack[7341]: NOT passing PAM_CONV to parent: destination already set
Feb 20 06:05:39 HisTop pam_stack[7341]: passing PAM_FAIL_DELAY to parent
Feb 20 06:05:39 HisTop pam_stack[7341]: NOT passing PAM_OLDAUTHTOK to parent: source is NULL
Feb 20 06:05:39 HisTop pam_stack[7341]: NOT passing PAM_RHOST to parent: source is NULL
Feb 20 06:05:39 HisTop pam_stack[7341]: passing PAM_RUSER to parent
Feb 20 06:05:39 HisTop pam_stack[7341]: passing PAM_SERVICE to parent
Feb 20 06:05:39 HisTop pam_stack[7341]: passing PAM_TTY to parent
Feb 20 06:05:39 HisTop pam_stack[7341]: passing PAM_USER to parent
Feb 20 06:05:39 HisTop pam_stack[7341]: NOT passing PAM_USER_PROMPT to parent: source is NULL
Feb 20 06:05:39 HisTop pam_stack[7341]: passing data back
Feb 20 06:05:39 HisTop pam_stack[7341]: passing former back
Feb 20 06:05:39 HisTop pam_stack[7341]: returning 7 (Authentication failure)
Feb 20 06:05:41 HisTop su[7341]: pam_authenticate: Authentication failure
Feb 20 06:05:41 HisTop pam_stack[7341]: freeing stack data for `system-auth' service
|
What I tried so far:
* Reinstalling pam, pam-login, coreutils, shadow with -O2
* resetting group attributes
* wheel::10:root,oezi (without the x)
* uncommenting the line # auth sufficient /lib/security/pam_wheel.so use_uid trust debug
Code: |
bash-2.05b$ su
su: Authentication service cannot retrieve authentication info.
Sorry.
|
* strace (cannot work because strace does not propagate suid bit)
I'm really desperate... and hope it's not something really stupid
Please tell me if any information is missing. I really tried to work with all the information available on the web and in the forum.
Christopher
Last edited by oezi on Tue Mar 02, 2004 6:08 pm; edited 1 time in total |
|
Back to top |
|
|
oezi n00b
Joined: 20 Feb 2004 Posts: 5
|
Posted: Mon Feb 23, 2004 1:49 am Post subject: SUID in general not workin |
|
|
Hey Guys!
I tried some other stuff random stuff today, when I noticed that my Ping command doesn't work either when using a non-root user.
Since ICMP-sockets can only be opened by root-users I added SUID bits to ping.
Code: |
chmod a+s /bin/ping
|
But it still doesn't work. Same with mount or umount.
Are maybe in general the SUID-bits broken? Any ideas what else I could try to investigate? Thanks!
Christopher |
|
Back to top |
|
|
oezi n00b
Joined: 20 Feb 2004 Posts: 5
|
Posted: Tue Mar 02, 2004 6:07 pm Post subject: Fixed |
|
|
Okay I found the solution
I had a wrong entry in my fstab which disabled suid bits.
Changing the line to
Code: |
/dev/hda6 / reiserfs noatime 0 1
|
solved all my problems.
Thanks for having a look at the problem.
Christopher |
|
Back to top |
|
|
rosowski n00b
Joined: 09 Nov 2003 Posts: 51
|
Posted: Mon Apr 05, 2004 6:58 pm Post subject: |
|
|
Did that solve your su issue though? I have the same problem here, after I backed up my system using only cp, without -a option (dumb me...).
My fstab says:
Code: | /dev/hda3 / ext3 noatime 0 0 |
but thats how it came from gentoo, so I guess its right this way.
Cheers,
Daniel |
|
Back to top |
|
|
oezi n00b
Joined: 20 Feb 2004 Posts: 5
|
Posted: Mon Apr 05, 2004 7:47 pm Post subject: cp backup |
|
|
All my Suid-bits for the individual files were set correctly so after I removed the nosuid option from the fstab everthing was working again.
What exactley isn't working? (suid bits, wheel group?)
Best greetings,
Christopher |
|
Back to top |
|
|
rosowski n00b
Joined: 09 Nov 2003 Posts: 51
|
Posted: Tue Apr 06, 2004 4:58 pm Post subject: |
|
|
The point is that I just wonder why you need to set your fstab entry for the root partition from 0 0 to 0 1, since I got it working by setting the suid bit too, but without the changes to the fstab.
Sorry, maybe it was a bit confusing |
|
Back to top |
|
|
oezi n00b
Joined: 20 Feb 2004 Posts: 5
|
Posted: Tue Apr 06, 2004 5:11 pm Post subject: nosuid in fstab |
|
|
I have to be sorry because my bug-fix report was not too clear:
The problem with the fstab was not because of 0 0 vs. 0 1 (these are for file-sys-checks I believe) but because I had "nosuid" (and some other stuff) where "noatime" is now. Check with "man mount" to get the full information on that. Apparently this option is for security reasons to completely disable suid bits at the kernel level.
Christopher |
|
Back to top |
|
|
funeagle Tux's lil' helper
Joined: 05 Aug 2003 Posts: 102 Location: London
|
Posted: Sat Dec 31, 2005 1:15 pm Post subject: |
|
|
Thank you, I had the same problem and now it's solved. But I think you did not tell directly that you had the users entry which disabled the suid bits.
I had it wrong as well:
Code: |
/dev/hda6 / reiserfs users,exec 0 0
|
removed the users and now it works |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Sat Dec 31, 2005 9:44 pm Post subject: |
|
|
Moved from Installing Gentoo _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
|