Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: make su work after installing shadow-4.0.5
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
BWoso
l33t
l33t


Joined: 31 Dec 2003
Posts: 920
Location: Cleveland Ohio, USA

PostPosted: Fri Dec 03, 2004 12:32 pm    Post subject: Reply with quote

not a solution but a way around for the time being... Hit ctrl+alt+f11, alt+f2, log in a root, do whatever you need to do, or start emerging something or whatever. . . ctrl+alt+f7 to get back into your WM/DE
_________________
I think that the forums are the greatest thing about Gentoo, thanks to everyone that posts on them!

The best way to cheer yourself up is to try to cheer somebody else up.
-Mark Twain-
Back to top
View user's profile Send private message
hielvc
Advocate
Advocate


Joined: 19 Apr 2002
Posts: 2805
Location: Oceanside, Ca

PostPosted: Sat Dec 04, 2004 3:22 am    Post subject: Reply with quote

Not offically yet. I just added my user, me, to the root group.
_________________
An A-Z Index of the Linux BASH command line
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Sat Dec 04, 2004 8:14 pm    Post subject: UPDATE Reply with quote

This seems to have been fixed in version 4.0.6

I have 2 new users I've put on this system. One is my normal account, which is part of the wheel group and not part of the root group. I added another account to test all this out which isn't in the wheel group.

Before I didn't have an entry for SU_WHEEL_ONLY in /etc/login.defs. So at that time, anyone could su as long as they knew the password. So I added "SU_WHEEL_ONLY yes" to /etc/login.defs

I now can su using my normal account (the one that is in wheel) but not using the other one (the one that's not part of wheel).

btw: 4.0.6 is masked "~x86"
Back to top
View user's profile Send private message
stealthy
Tux's lil' helper
Tux's lil' helper


Joined: 08 Aug 2002
Posts: 118
Location: ONTARIO CANADA

PostPosted: Sat Dec 04, 2004 11:43 pm    Post subject: workaround? Reply with quote

I was having the same problem, although I ran into this problem because I messed up my pam...and wasn't able to log into the system cause of missing libpam_misc.so etc...and wasn't able to recompile pam-login ...it kept on failing while trying to compile login.c

so I just did:
Using LiveCD & chrooting to my system
emerge unmerge shadow pam
them emerge depclean
then added -pam to use flags
then emerge shadow

and then the system was usable once again.
although i had to recompile samba,ssh, vixie-cron etc. (whatever was using pam for authentication)

Now to the problem of not being able to su -

Still wanting to maintain unauthorised users from being able to su -, I decided to make another user, and then added that user to group root
for eg.
username: newuser (not actual username)
primary group: users
additional groups: wheel,root,audio

did this because once the wheel issue is resolved i'll delete this new user.:)
_________________
All your Gentoo are belong to us.
Back to top
View user's profile Send private message
Malice
Tux's lil' helper
Tux's lil' helper


Joined: 13 Jun 2003
Posts: 78

PostPosted: Sun Dec 05, 2004 9:25 am    Post subject: Reply with quote

In case anyone is wondering re-enabling pam with

Code:

USE='pam' emerge -vuatD --newuse world


gave me back the desired behaviour - wheel members can su, but noone else can.

I had an 'oh shit' moment halfway through this build. I had emerge running inside a detached screen, and accidentally logged out of my last shell. When I tried to log back in again as root I got a pam error and couldn't log in. Doh!. Once the build had finished though I was able to log in, and everything worked as expected.

Now I know why there is a warning in the description for the pam use flag about arbitrarily flipping the value.
Back to top
View user's profile Send private message
ZiGZaG
n00b
n00b


Joined: 02 Sep 2004
Posts: 9
Location: Naples-Italy

PostPosted: Tue Dec 07, 2004 10:02 am    Post subject: Reply with quote

I did

Code:

ACCEPT_KEYWORDS="~x86" emerge -u shadow


to do as slycordinator said, but my wheel-users still can't su to root with su_wheel_only yes

I think i'll try

Code:

USE='pam' emerge -vuatD --newuse world


as malice said.. when i can compile one day long of course.. because my gentoo is on a notebook :cry:
_________________
ZiGZaG
Back to top
View user's profile Send private message
Chriske
Tux's lil' helper
Tux's lil' helper


Joined: 09 Apr 2004
Posts: 86
Location: Belgium (Antwerp)

PostPosted: Sat Dec 18, 2004 3:12 pm    Post subject: Reply with quote

I don't like pam, and don't want it to be installed on my system (had it before, caused a lot of conflicts, e.g. audio did not work anymore in some progs)

As far as i understand, usage of the wheel-group only works correctly using pam. But from the comment (which appears only to be present when using sys-apps shadow, without pam) in /etc/login.defs:
Code:
#
# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts.  If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
#
SU_WHEEL_ONLY   yes

I get that shadow does not work with a wheel-group, but all users you want to be able to su, must be memeber of the root-group (with gid 0).

I tried this (adding all users who were member of the wheel-group to the root-group) and this seems to work properly (only these users can su, others can't).

Now my only question is: are ther any consequensces (e.g. security risks) when adding a user to the root-group?
_________________
In a world without fences and walls, who needs Gates and Windows?
Back to top
View user's profile Send private message
gkmac
Guru
Guru


Joined: 19 Jan 2003
Posts: 333
Location: West Sussex, UK

PostPosted: Sun Dec 19, 2004 6:02 pm    Post subject: Reply with quote

Chriske wrote:
I don't like pam, and don't want it to be installed on my system (had it before, caused a lot of conflicts, e.g. audio did not work anymore in some progs)

As far as i understand, usage of the wheel-group only works correctly using pam.

I recently jettisoned PAM from my PCs and came across this SU_WHEEL_ONLY=yes issue. There something wasn't right (to me) about adding users to gid 0.

But I found a way to preserve the "wheel group" behaviour without PAM. Firstly set SU_WHEEL_ONLY=no and then create the file /etc/suauth with this single line...
Code:
root:ALL EXCEPT GROUP wheel:DENY
...and now only members of the wheel group can su to root, while everybody can su to everybody else (password permitting).

man suauth will tell you how you can apply further restrictions.
Back to top
View user's profile Send private message
Chriske
Tux's lil' helper
Tux's lil' helper


Joined: 09 Apr 2004
Posts: 86
Location: Belgium (Antwerp)

PostPosted: Mon Dec 20, 2004 3:43 pm    Post subject: Reply with quote

Tnx, gkmac.

I too had problems with adding users to the root-group (that's why i posted my previous msg).

Your solution is indeed perfect, althoug i used "ALL:ALL EXCEPT GROUP wheel:DENY" to get the same effect as with PAM.

Thanks a lot.
_________________
In a world without fences and walls, who needs Gates and Windows?
Back to top
View user's profile Send private message
g4c9z
Apprentice
Apprentice


Joined: 03 Jun 2004
Posts: 178

PostPosted: Mon Feb 07, 2005 11:41 pm    Post subject: Reply with quote

By the way, what's the security risk with allowing anyone to use su? Don't they still have to know root's password to become root? There is a slight improvement if they can't even log in as root knowing root's password, but isn't there another way they can log in if they know root's password anyway (i.e. just log in as root in the first place)?
Back to top
View user's profile Send private message
Chriske
Tux's lil' helper
Tux's lil' helper


Joined: 09 Apr 2004
Posts: 86
Location: Belgium (Antwerp)

PostPosted: Tue Feb 08, 2005 6:39 pm    Post subject: Reply with quote

The most important thing to secure your system is, of course, having a good root-password. But if you can disallow people to even try to login as root, it's even more secure.
One of these precautions is only allowing certain trusted users to su, others are disallowing root login on shh, ...

That's the way i see it.
_________________
In a world without fences and walls, who needs Gates and Windows?
Back to top
View user's profile Send private message
g4c9z
Apprentice
Apprentice


Joined: 03 Jun 2004
Posts: 178

PostPosted: Tue Feb 08, 2005 8:03 pm    Post subject: Reply with quote

OK, so otherwise, users could log in as a normal user by ssh, then su to root, even though root login is disallowed by ssh?
Back to top
View user's profile Send private message
Chriske
Tux's lil' helper
Tux's lil' helper


Joined: 09 Apr 2004
Posts: 86
Location: Belgium (Antwerp)

PostPosted: Wed Feb 09, 2005 7:03 pm    Post subject: Reply with quote

Indeed, because ssh just starts bash, it does not start itsown shell. So permissions for using su are out of the control of ssh.
_________________
In a world without fences and walls, who needs Gates and Windows?
Back to top
View user's profile Send private message
SCUD
n00b
n00b


Joined: 16 Jan 2005
Posts: 12

PostPosted: Mon Mar 14, 2005 10:23 am    Post subject: Reply with quote

Yeah, I had the exact same problem as well, compiled everything with USE=-pam" (I hate it and dont need it) and was running the latest version of shadow 4.0.5 and I couldn't su to root even though I was in the wheel group.

Based on the posts I thought I would try emerging pam-login, after that pam conveniently deleted all of my logins including root. Thanks Pam! LiveCD to the rescue... :roll:
Back to top
View user's profile Send private message
SCUD
n00b
n00b


Joined: 16 Jan 2005
Posts: 12

PostPosted: Tue Mar 15, 2005 7:30 am    Post subject: Reply with quote

Just for the information of anyone out there who is interested... After I got home and booted from the LiveCD all I had to do was unmerge pam-login and shadow, then I did an:

Code:

emerge -pu world


To see exactly what packages it wanted.

I grabbed pam-login, shadow and everything else in the list then I rebooted and I could log back in. I tested out su and it works fine now. So the latest version of shadow can work albeit with a bit of hassle (without editing any config files, allowing any security issues) and allow the correct functionality of the wheel group and su etc...

I recommend unmerging and re-emerging shadow and pam-login and hopefully that will help others.
Back to top
View user's profile Send private message
gojensen
n00b
n00b


Joined: 26 May 2005
Posts: 1

PostPosted: Thu May 26, 2005 8:51 am    Post subject: Reply with quote

Hi all (my first post)

I came here because I couldn't get su to work either (fresh installed from 2005.0 updated portage as of two days ago...). I have Shadow 4.0.5-r3, and one user in the wheel group.

No matter WHAT I did the user couldn't SU. And I checked rights etc. etc. Which finally led me to this thread. For me the solution was to change /etc/login.defs, SU_WHEEL_ONLY no.

The odd thing is this; the user in the WHEEL group can now SU. If I remove the user from the WHEEL group he can NOT SU. So it seems the description here is wrong or something. I do not have PAM, and thus -PAM in the use flags.

So as of mid May 2005 this SU thing seems to not be properly resolved yet. (I do not emerge any ~x86 packages...)
_________________
:?:
Back to top
View user's profile Send private message
afabco
Guru
Guru


Joined: 24 Feb 2004
Posts: 380

PostPosted: Sat May 28, 2005 5:00 am    Post subject: Reply with quote

It's not; it's the &(#&%(&*'ing pam thing. System needs a +pam to do the wheel group thing. I've tried jettisoning pam a couple of times, and all sorts of weird things happen, so I end up re-using it. grrrrr. I think that pam is just some of the bad baggage that we are stuck with for the foreseeable future, or until I have time to become an Uber-Uber and rewrite everything to make it an option.
_________________
Anyone who puts a small gloss on a fundamental technology, calls it proprietary, and then tries to keep others from building on it, is a thief.
-Tim O'Reilly
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum