SA2: Why can't I su to root?

Message

rac · Post by **rac** » Wed Nov 20, 2002 6:19 am

Navigation: [System Administration] [Table of Contents]

Q1. Why can't I su to root?
I've added a non-root user, but when I try to use the "su" command to become root, it doesn't work, and I get the error "Permission denied". Why is this and what can I do about it?

A1. As a security precaution, the default settings for Gentoo Linux require a user to be a member of the wheel group to be allowed to execute the "su" command to become root.

You can add a user to the wheel group in several ways. You can use the -G option of usermod or the -a option of gpasswd, such as:
Code: Select all
```
# usermod -G users,wheel username
# gpasswd -a username wheel
```
Note, however, that any supplementary groups not specified are removed if you use usermod, so, for example, if you need the user to remain a member of the audio group, you must explicitly say
Code: Select all
```
# usermod -G users,wheel,audio username
```
You can also use the vigr command to edit /etc/group directly, changing the line for the wheel group to read something like
Code: Select all
```
wheel::10:root,username
```
Does the "groups" command confirm that you are a member of the correct group?

Note: for users of the GLI, you will need to run "sudo su -" instead of just "su".
Q1.1. But this just happened, and su was working. Really. It was.

A1.1. If you've recently updated some files, such as with etc-update, you probably overwrote a configuration file. Go through these steps again to verify everything is configured correctly.
Q1.2. But my user is a member of the wheel group, and I still can't su to root. My error message is slightly different. It says "Authentication failure".

A1.2. Check the file permissions on the /bin/su executable using
Code: Select all
```
$ ls -l /bin/su
```
It should say:
Code: Select all
```
-rwsr-xr-x    1 root     root
```
If your permissions are different, you can fix them using:
Code: Select all
```
# chown root:root /bin/su
# chmod 4755 /bin/su
```
Other things to check:
- /etc/fstab settings: users,exec / nosuid
- user's home directory is owned by the user.
- Permissions on / directory. This thread, or this summary.
- You are not authorized to su root: pam-login, shadow Note: removing wheel group requirement is NOT a desireable solution. There is, however, a remedy.

Sources:

ebrostig in su problem: (/etc/group is ok) i rtfm... twice

EDIT:
Added "Other things to check." --pjp
Inserted a new 1.1 --pjp
Added direct link to pam-less wheel remedy. --kallamej
Changed chown command to reflect newer user:group syntax. --Maedhros
Added note for GLI users on how to su --mark_alec
Added gpasswd example. --kallamej