View previous topic :: View next topic |
Author |
Message |
funeagle Tux's lil' helper
Joined: 05 Aug 2003 Posts: 102 Location: London
|
Posted: Thu Nov 04, 2004 10:53 am Post subject: HOWTO: make su work after installing shadow-4.0.5 |
|
|
If you install sys-apps/shadow-4.0.5 and you etc-update you might get the following error message when trying to su to root:
Code: | You are not authorized to su root |
Then you have to edit /etc/login.defs and set:
|
|
Back to top |
|
|
nixnut Bodhisattva
Joined: 09 Apr 2004 Posts: 10974 Location: the dutch mountains
|
Posted: Thu Nov 04, 2004 3:00 pm Post subject: |
|
|
Bad idea. Better add only the users that you want to be able to su to the wheel group in /etc/group _________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
Back to top |
|
|
BWoso l33t
Joined: 31 Dec 2003 Posts: 920 Location: Cleveland Ohio, USA
|
Posted: Thu Nov 04, 2004 3:47 pm Post subject: |
|
|
I am a little confused on the problem here. In another thread one person said that they had this error while trying to su but that they were in the wheel group. So if making being in the wheel group not a necessity how did that fix his problem (I pointed him to this post and it worked). So he was in the wheel group, couldn't su, made being in the wheel group not needed, and it worked. I just don't understand why that works. _________________ I think that the forums are the greatest thing about Gentoo, thanks to everyone that posts on them!
The best way to cheer yourself up is to try to cheer somebody else up.
-Mark Twain- |
|
Back to top |
|
|
gentoo4erik n00b
Joined: 04 Nov 2004 Posts: 12
|
Posted: Thu Nov 04, 2004 8:00 pm Post subject: |
|
|
Same here.
Adding to wheel group does not work
Looking at the comments in /etc/login.defs it says that you have to add your name at gid 0 (root !)
is that the right way ? |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Thu Nov 04, 2004 8:14 pm Post subject: |
|
|
A better solution is to simply re-sync and update to the newest shadow version.
sys-apps/shadow-4.0.5-r2 is the current, updated version. |
|
Back to top |
|
|
gentoo4erik n00b
Joined: 04 Nov 2004 Posts: 12
|
Posted: Thu Nov 04, 2004 8:20 pm Post subject: |
|
|
I allready emerged sys-apps/shadow-4.0.5-r2
The behaviour I described, happened with shadow-4.0.5-r2 |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Thu Nov 04, 2004 8:28 pm Post subject: |
|
|
Strange. I can su and I'm using shadow-4.0.5-r2
edit: But my problem with shadow-4.0.5 was having PAM authentication errors whenever trying to do usermanagement stuff. |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
|
Back to top |
|
|
gentoo4erik n00b
Joined: 04 Nov 2004 Posts: 12
|
Posted: Thu Nov 04, 2004 8:36 pm Post subject: |
|
|
Indeed very strange.
With sys-apps/shadow-4.0.5-r1 I had no problems. I never added myself to wheel-group and could allways use su.
Maybe relevant. Userflag = -pam
I still think the commend lines in /etc/login.defs are strange:
Code: | # If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts. If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
|
nothing about wheel-group.
Groetjes,
Erik |
|
Back to top |
|
|
Martin.Jansa n00b
Joined: 09 Mar 2004 Posts: 55 Location: Prague
|
Posted: Thu Nov 04, 2004 9:54 pm Post subject: |
|
|
gentoo4erik wrote: | Maybe relevant. Userflag = -pam |
+pam works for me with -r2 |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Fri Nov 05, 2004 4:30 am Post subject: |
|
|
gentoo4erik wrote: | I never added myself to wheel-group and could allways use su. |
Isn't that a considered a security risk? |
|
Back to top |
|
|
TyroneSlothrop n00b
Joined: 27 Sep 2003 Posts: 39 Location: Franconia, Central Europe
|
Posted: Fri Nov 05, 2004 12:30 pm Post subject: solution |
|
|
I had the same problem since the security update of shadow.
Simple solution:
Just reemerge pam-login, shadow installed a bad (?) version of /etc/login.defs.
Strange that those packages share some files, /usr/share/man/man1/login.1.gz would be another example. Are you even supposed to have them installed at once? If yes, it smells like a bug. _________________ warning: potentially offensive but true nonetheless... |
|
Back to top |
|
|
Batsi n00b
Joined: 30 Mar 2004 Posts: 13 Location: Munich, Germany
|
Posted: Fri Nov 05, 2004 7:36 pm Post subject: |
|
|
Oooh, icky.
I had that problem on my Sun today which stands a bit far away without keyboard or monitor connected.
And so I first had to organize a Sun Keyboard.
@TyroneSlothrop: Thanks a lot. Re-emerging pam brought success.
But now I will add a few more privileges to my non-root account. |
|
Back to top |
|
|
gentoo4erik n00b
Joined: 04 Nov 2004 Posts: 12
|
Posted: Sat Nov 06, 2004 7:20 am Post subject: |
|
|
Hoi TyroneSlothrop,
Also thanks, this helped.
Strange, that both shadow and pam-login install /etc/login.defs. But that the files differ.
Groetjes,
Erik |
|
Back to top |
|
|
DeZZa n00b
Joined: 08 Apr 2004 Posts: 58 Location: Denmark, Aalborg
|
Posted: Tue Nov 09, 2004 4:23 pm Post subject: |
|
|
I re-emerged pam-login and it worked yesterday, but now i only get a "Sorry." message, i'm 100% sure that it is the correct password ..
[EDIT:] Changed /bin/su to 4711 from 711 .. |
|
Back to top |
|
|
hielvc Advocate
Joined: 19 Apr 2002 Posts: 2805 Location: Oceanside, Ca
|
|
Back to top |
|
|
r8dhex Tux's lil' helper
Joined: 25 Jul 2002 Posts: 120
|
Posted: Mon Nov 22, 2004 6:10 am Post subject: |
|
|
ok, i was having the same problems after emerging shadow-4.0.5-r2, I re-emerged pam-login, and replaced login.defs, which fixed the "not authorized to su" problem. However, pam-login's login.defs doesn't have the line "SU_WHEEL_ONLY", so anyone can now su, which is still not the expected behavior.
It seems that SU_WHEEL_ONLY requires the wheel group to be gid 0, from what i understand from the comments. Has anyone figured out how to fix the "not authorized to su" problem, while still keeping su powers within the wheel group? |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20090
|
Posted: Mon Nov 22, 2004 3:54 pm Post subject: |
|
|
Moved from Installing Gentoo. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
r8dhex Tux's lil' helper
Joined: 25 Jul 2002 Posts: 120
|
Posted: Thu Nov 25, 2004 4:21 am Post subject: |
|
|
bump, since this hasn't been resolved completely yet, i think |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Thu Nov 25, 2004 4:32 am Post subject: |
|
|
The problem I'm seeing most of the people talk about is this:
Before the update they could su to root regardless of if they were in the wheel group or not, and now that they performed the update they can't. And as far as I know, the former (su-ing regardless of group membership) is incorrect behavior for the system. |
|
Back to top |
|
|
Sunny HiPPiE n00b
Joined: 28 Nov 2004 Posts: 1 Location: Lithuania
|
Posted: Sun Nov 28, 2004 8:33 pm Post subject: |
|
|
Quote: | It seems that SU_WHEEL_ONLY requires the wheel group to be gid 0, from what i understand from the comments. Has anyone figured out how to fix the "not authorized to su" problem, while still keeping su powers within the wheel group? |
Another way is: you can list users, who can su root, in the root group, which gid by defaul is 0. It works at my machine. After the only change, that i added myuser to root group, myuser became able to su root. |
|
Back to top |
|
|
ZiGZaG n00b
Joined: 02 Sep 2004 Posts: 9 Location: Naples-Italy
|
Posted: Mon Nov 29, 2004 12:40 pm Post subject: |
|
|
finally, i got the following results:
SU_WHEEL_ONLY no in /etc/login.defs lets my user su to root
the user won't su with yes in this field, also if myuser is added to the wheel group, and the following lines commented out in login.defs seems to explain why:
Code: |
# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts. If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
|
The group those lines are talking about is NOT the wheel group, but the root's one. I won't add myuser to the root group, because on my notebook i've got just one user, and the "SU_WHEEL_ONLY no" solution is acceptable for me.
But what about my plans to make a server using gentoo at my office?
I just can't let all users able to su to root, because both local and remote security are very important in my environment..
no changes reemerging the shadow package with or without pam in the cflags..
i still think this is a security issue of the current version of gentoo, and i wish it's going to be fixed, because it seems a BIG security problem on those systems...
NOTE: my shadow version is -r2 and all packages on my system are up to date _________________ ZiGZaG |
|
Back to top |
|
|
Malice Tux's lil' helper
Joined: 13 Jun 2003 Posts: 78
|
Posted: Fri Dec 03, 2004 2:28 am Post subject: |
|
|
Bump.
Ditto here. User is member of wheel, but can't su to root.
So to summarize what has been said so far:
Adding the user to the root group solves the problem, but this is not such a good thing for security since your user account now has psuedo-escalated privileges, and it makes the wheel group redundant.
Changing the SU_WHEEL_ONLY variable in /etc/login.defs to no also lets you su to root, but again this isn't a very desirable solution since anyone can now attempt to su to root.
The suid bit on /bin/su and other related files are set on my brandspanking new install so I don't think the bug in the shadow ebuild mentioned above is causing the problem (for me at least).
I have built everything with USE='-pam' if that makes a difference.
Ideas?
Edit: I'm starting to get the idea that pam is pretty much a necessity to make this work properly. This sucks, since I had conscously decided not to use pam. Oh well, maybe I'll bite the bullet and reemerge a with pam. |
|
Back to top |
|
|
hielvc Advocate
Joined: 19 Apr 2002 Posts: 2805 Location: Oceanside, Ca
|
|
Back to top |
|
|
ZiGZaG n00b
Joined: 02 Sep 2004 Posts: 9 Location: Naples-Italy
|
Posted: Fri Dec 03, 2004 12:18 pm Post subject: |
|
|
well hielvc i did.. but i didn't see a solution. is there any? _________________ ZiGZaG |
|
Back to top |
|
|
|