View previous topic :: View next topic |
Author |
Message |
BWoso l33t
Joined: 31 Dec 2003 Posts: 920 Location: Cleveland Ohio, USA
|
Posted: Fri Dec 03, 2004 12:32 pm Post subject: |
|
|
not a solution but a way around for the time being... Hit ctrl+alt+f11, alt+f2, log in a root, do whatever you need to do, or start emerging something or whatever. . . ctrl+alt+f7 to get back into your WM/DE _________________ I think that the forums are the greatest thing about Gentoo, thanks to everyone that posts on them!
The best way to cheer yourself up is to try to cheer somebody else up.
-Mark Twain- |
|
Back to top |
|
|
hielvc Advocate
Joined: 19 Apr 2002 Posts: 2805 Location: Oceanside, Ca
|
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Sat Dec 04, 2004 8:14 pm Post subject: UPDATE |
|
|
This seems to have been fixed in version 4.0.6
I have 2 new users I've put on this system. One is my normal account, which is part of the wheel group and not part of the root group. I added another account to test all this out which isn't in the wheel group.
Before I didn't have an entry for SU_WHEEL_ONLY in /etc/login.defs. So at that time, anyone could su as long as they knew the password. So I added "SU_WHEEL_ONLY yes" to /etc/login.defs
I now can su using my normal account (the one that is in wheel) but not using the other one (the one that's not part of wheel).
btw: 4.0.6 is masked "~x86" |
|
Back to top |
|
|
stealthy Tux's lil' helper
Joined: 08 Aug 2002 Posts: 118 Location: ONTARIO CANADA
|
Posted: Sat Dec 04, 2004 11:43 pm Post subject: workaround? |
|
|
I was having the same problem, although I ran into this problem because I messed up my pam...and wasn't able to log into the system cause of missing libpam_misc.so etc...and wasn't able to recompile pam-login ...it kept on failing while trying to compile login.c
so I just did:
Using LiveCD & chrooting to my system
emerge unmerge shadow pam
them emerge depclean
then added -pam to use flags
then emerge shadow
and then the system was usable once again.
although i had to recompile samba,ssh, vixie-cron etc. (whatever was using pam for authentication)
Now to the problem of not being able to su -
Still wanting to maintain unauthorised users from being able to su -, I decided to make another user, and then added that user to group root
for eg.
username: newuser (not actual username)
primary group: users
additional groups: wheel,root,audio
did this because once the wheel issue is resolved i'll delete this new user. _________________ All your Gentoo are belong to us. |
|
Back to top |
|
|
Malice Tux's lil' helper
Joined: 13 Jun 2003 Posts: 78
|
Posted: Sun Dec 05, 2004 9:25 am Post subject: |
|
|
In case anyone is wondering re-enabling pam with
Code: |
USE='pam' emerge -vuatD --newuse world
|
gave me back the desired behaviour - wheel members can su, but noone else can.
I had an 'oh shit' moment halfway through this build. I had emerge running inside a detached screen, and accidentally logged out of my last shell. When I tried to log back in again as root I got a pam error and couldn't log in. Doh!. Once the build had finished though I was able to log in, and everything worked as expected.
Now I know why there is a warning in the description for the pam use flag about arbitrarily flipping the value. |
|
Back to top |
|
|
ZiGZaG n00b
Joined: 02 Sep 2004 Posts: 9 Location: Naples-Italy
|
Posted: Tue Dec 07, 2004 10:02 am Post subject: |
|
|
I did
Code: |
ACCEPT_KEYWORDS="~x86" emerge -u shadow
|
to do as slycordinator said, but my wheel-users still can't su to root with su_wheel_only yes
I think i'll try
Code: |
USE='pam' emerge -vuatD --newuse world
|
as malice said.. when i can compile one day long of course.. because my gentoo is on a notebook _________________ ZiGZaG |
|
Back to top |
|
|
Chriske Tux's lil' helper
Joined: 09 Apr 2004 Posts: 86 Location: Belgium (Antwerp)
|
Posted: Sat Dec 18, 2004 3:12 pm Post subject: |
|
|
I don't like pam, and don't want it to be installed on my system (had it before, caused a lot of conflicts, e.g. audio did not work anymore in some progs)
As far as i understand, usage of the wheel-group only works correctly using pam. But from the comment (which appears only to be present when using sys-apps shadow, without pam) in /etc/login.defs: Code: | #
# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts. If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
#
SU_WHEEL_ONLY yes |
I get that shadow does not work with a wheel-group, but all users you want to be able to su, must be memeber of the root-group (with gid 0).
I tried this (adding all users who were member of the wheel-group to the root-group) and this seems to work properly (only these users can su, others can't).
Now my only question is: are ther any consequensces (e.g. security risks) when adding a user to the root-group? _________________ In a world without fences and walls, who needs Gates and Windows? |
|
Back to top |
|
|
gkmac Guru
Joined: 19 Jan 2003 Posts: 333 Location: West Sussex, UK
|
Posted: Sun Dec 19, 2004 6:02 pm Post subject: |
|
|
Chriske wrote: | I don't like pam, and don't want it to be installed on my system (had it before, caused a lot of conflicts, e.g. audio did not work anymore in some progs)
As far as i understand, usage of the wheel-group only works correctly using pam. |
I recently jettisoned PAM from my PCs and came across this SU_WHEEL_ONLY=yes issue. There something wasn't right (to me) about adding users to gid 0.
But I found a way to preserve the "wheel group" behaviour without PAM. Firstly set SU_WHEEL_ONLY=no and then create the file /etc/suauth with this single line... Code: | root:ALL EXCEPT GROUP wheel:DENY | ...and now only members of the wheel group can su to root, while everybody can su to everybody else (password permitting).
man suauth will tell you how you can apply further restrictions. |
|
Back to top |
|
|
Chriske Tux's lil' helper
Joined: 09 Apr 2004 Posts: 86 Location: Belgium (Antwerp)
|
Posted: Mon Dec 20, 2004 3:43 pm Post subject: |
|
|
Tnx, gkmac.
I too had problems with adding users to the root-group (that's why i posted my previous msg).
Your solution is indeed perfect, althoug i used "ALL:ALL EXCEPT GROUP wheel:DENY" to get the same effect as with PAM.
Thanks a lot. _________________ In a world without fences and walls, who needs Gates and Windows? |
|
Back to top |
|
|
g4c9z Apprentice
Joined: 03 Jun 2004 Posts: 178
|
Posted: Mon Feb 07, 2005 11:41 pm Post subject: |
|
|
By the way, what's the security risk with allowing anyone to use su? Don't they still have to know root's password to become root? There is a slight improvement if they can't even log in as root knowing root's password, but isn't there another way they can log in if they know root's password anyway (i.e. just log in as root in the first place)? |
|
Back to top |
|
|
Chriske Tux's lil' helper
Joined: 09 Apr 2004 Posts: 86 Location: Belgium (Antwerp)
|
Posted: Tue Feb 08, 2005 6:39 pm Post subject: |
|
|
The most important thing to secure your system is, of course, having a good root-password. But if you can disallow people to even try to login as root, it's even more secure.
One of these precautions is only allowing certain trusted users to su, others are disallowing root login on shh, ...
That's the way i see it. _________________ In a world without fences and walls, who needs Gates and Windows? |
|
Back to top |
|
|
g4c9z Apprentice
Joined: 03 Jun 2004 Posts: 178
|
Posted: Tue Feb 08, 2005 8:03 pm Post subject: |
|
|
OK, so otherwise, users could log in as a normal user by ssh, then su to root, even though root login is disallowed by ssh? |
|
Back to top |
|
|
Chriske Tux's lil' helper
Joined: 09 Apr 2004 Posts: 86 Location: Belgium (Antwerp)
|
Posted: Wed Feb 09, 2005 7:03 pm Post subject: |
|
|
Indeed, because ssh just starts bash, it does not start itsown shell. So permissions for using su are out of the control of ssh. _________________ In a world without fences and walls, who needs Gates and Windows? |
|
Back to top |
|
|
SCUD n00b
Joined: 16 Jan 2005 Posts: 12
|
Posted: Mon Mar 14, 2005 10:23 am Post subject: |
|
|
Yeah, I had the exact same problem as well, compiled everything with USE=-pam" (I hate it and dont need it) and was running the latest version of shadow 4.0.5 and I couldn't su to root even though I was in the wheel group.
Based on the posts I thought I would try emerging pam-login, after that pam conveniently deleted all of my logins including root. Thanks Pam! LiveCD to the rescue... |
|
Back to top |
|
|
SCUD n00b
Joined: 16 Jan 2005 Posts: 12
|
Posted: Tue Mar 15, 2005 7:30 am Post subject: |
|
|
Just for the information of anyone out there who is interested... After I got home and booted from the LiveCD all I had to do was unmerge pam-login and shadow, then I did an:
To see exactly what packages it wanted.
I grabbed pam-login, shadow and everything else in the list then I rebooted and I could log back in. I tested out su and it works fine now. So the latest version of shadow can work albeit with a bit of hassle (without editing any config files, allowing any security issues) and allow the correct functionality of the wheel group and su etc...
I recommend unmerging and re-emerging shadow and pam-login and hopefully that will help others. |
|
Back to top |
|
|
gojensen n00b
Joined: 26 May 2005 Posts: 1
|
Posted: Thu May 26, 2005 8:51 am Post subject: |
|
|
Hi all (my first post)
I came here because I couldn't get su to work either (fresh installed from 2005.0 updated portage as of two days ago...). I have Shadow 4.0.5-r3, and one user in the wheel group.
No matter WHAT I did the user couldn't SU. And I checked rights etc. etc. Which finally led me to this thread. For me the solution was to change /etc/login.defs, SU_WHEEL_ONLY no.
The odd thing is this; the user in the WHEEL group can now SU. If I remove the user from the WHEEL group he can NOT SU. So it seems the description here is wrong or something. I do not have PAM, and thus -PAM in the use flags.
So as of mid May 2005 this SU thing seems to not be properly resolved yet. (I do not emerge any ~x86 packages...) _________________
|
|
Back to top |
|
|
afabco Guru
Joined: 24 Feb 2004 Posts: 380
|
Posted: Sat May 28, 2005 5:00 am Post subject: |
|
|
It's not; it's the &(#&%(&*'ing pam thing. System needs a +pam to do the wheel group thing. I've tried jettisoning pam a couple of times, and all sorts of weird things happen, so I end up re-using it. grrrrr. I think that pam is just some of the bad baggage that we are stuck with for the foreseeable future, or until I have time to become an Uber-Uber and rewrite everything to make it an option. _________________ Anyone who puts a small gloss on a fundamental technology, calls it proprietary, and then tries to keep others from building on it, is a thief.
-Tim O'Reilly |
|
Back to top |
|
|
|