View previous topic :: View next topic |
Author |
Message |
rew n00b
Joined: 28 Aug 2002 Posts: 47 Location: Oregon
|
Posted: Tue Sep 03, 2002 2:43 am Post subject: su problem: (/etc/group is ok) i rtfm... twice |
|
|
ok, i still have a problem with su. i have read the docs, infact, i have read them twice to make sure i didnt miss anything. i get the error: Code: | su: Authentication failure
Sorry. |
i am sure my wheel group is set up right. i am sure i am using the right password (i have been trying for a few days) i can log in as root normally, i just cant su. (i also cant use the 'login' command to get to root once i'm logged in as another user)
any ideas? (yes i have logged out and back in, yes i have tried the to reboot, yes it is pluged in, im sure) _________________ linux-2.4.20 i686 SMP
Tyan Tiger MP
Dual Athlon MP 1600+
512MB EEC (1/4)
PNY Verto 64MB - GeForce4 MX 420
'Cheep-ass NIC, CDRW & DVD'
Last edited by rew on Tue Sep 03, 2002 5:14 am; edited 1 time in total |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Tue Sep 03, 2002 2:53 am Post subject: |
|
|
If you log in as root, can you su to a user?
EDIT: Permissions are now covered in the FAQ Forum. _________________ Quis separabit? Quo animo?
Last edited by pjp on Fri Dec 23, 2005 2:38 pm; edited 1 time in total |
|
Back to top |
|
|
squanto Guru
Joined: 20 Apr 2002 Posts: 524 Location: Rochester, NY, USA
|
Posted: Tue Sep 03, 2002 2:55 am Post subject: |
|
|
At a prompt for your normal user, type "groups", the output should be something like this:
users disk wheel floppy audio cdrom video cdrw
Then you can tell if you are in wheel. Make sure when adding yourself to groups that you include all other groups you are currenlty in so that you retain your status as being apart of those groups as well.
Andrew |
|
Back to top |
|
|
travis n00b
Joined: 14 Aug 2002 Posts: 51
|
Posted: Tue Sep 03, 2002 3:32 am Post subject: Been there, done that |
|
|
I had this very same problem. So frustrating! So I eventually re-emerged pam (I think) and su started working again.
Good luck. |
|
Back to top |
|
|
rew n00b
Joined: 28 Aug 2002 Posts: 47 Location: Oregon
|
Posted: Tue Sep 03, 2002 4:15 am Post subject: answers to your questionis |
|
|
reply #1: yes, i can su from root to a 'normal' user
reply #2: when i run groups my output is: users wheel audio
im going to try to remerge pam to see if that helps now.
=> update, re-emergin pam had no effect
Last edited by rew on Tue Sep 03, 2002 5:15 am; edited 2 times in total |
|
Back to top |
|
|
rew n00b
Joined: 28 Aug 2002 Posts: 47 Location: Oregon
|
Posted: Tue Sep 03, 2002 4:18 am Post subject: re-emerged pam and... |
|
|
i just re-emreged pam and i still am having the original problem |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Tue Sep 03, 2002 4:50 am Post subject: |
|
|
Is there anything interesting in /var/log/auth.log? _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
rew n00b
Joined: 28 Aug 2002 Posts: 47 Location: Oregon
|
Posted: Tue Sep 03, 2002 5:08 am Post subject: nope |
|
|
i dont even have a file at /var/log/auth.log
also, i just found that when trying to run `ps` as a regular user i get this error: "This /bin/ps is not secure for setuid operation." |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Tue Sep 03, 2002 5:25 am Post subject: |
|
|
What system logger are you using? Can you emerge strace if you haven't already and post the output of ...or any part of it that looks interesting, if it's really long? _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
rew n00b
Joined: 28 Aug 2002 Posts: 47 Location: Oregon
|
Posted: Tue Sep 03, 2002 6:10 am Post subject: and now i go figure out what all this means |
|
|
[root /home/media]$ strace -u rew ps
execve("/bin/ps", ["ps"], [/* 42 vars */]) = 0
brk(0) = 0x8163588
fcntl64(0, F_GETFD) = 0
fcntl64(1, F_GETFD) = 0
fcntl64(2, F_GETFD) = 0
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
open("/etc/ld.so.preload", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
close(3) = 0
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=76143, ...}) = 0
old_mmap(NULL, 76143, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000
close(3) = 0
open("/lib/libproc.so.2.0.7", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000#\0\000"..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0555, st_size=45611, ...}) = 0
old_mmap(NULL, 49288, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4002a000
mprotect(0x40033000, 12424, PROT_NONE) = 0
old_mmap(0x40033000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x8000) = 0x40033000
old_mmap(0x40034000, 8328, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40034000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\250\224"..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=1425012, ...}) = 0
old_mmap(NULL, 1241088, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40037000
mprotect(0x4015c000, 40960, PROT_NONE) = 0
old_mmap(0x4015c000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x124000) = 0x4015c000
old_mmap(0x40162000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40162000
close(3) = 0
munmap(0x40017000, 76143) = 0
uname({sys="Linux", node="luna.daspek.com", ...}) = 0
open("/proc/uptime", O_RDONLY) = 3
lseek(3, 0, SEEK_SET) = 0
read(3, "3962.00 3780.76\n", 1023) = 16
open("/proc/stat", O_RDONLY) = 4
lseek(4, 0, SEEK_SET) = 0
read(4, "cpu 28031 0 7626 756743\ncpu0 14"..., 1023) = 685
lseek(3, 0, SEEK_SET) = 0
read(3, "3962.00 3780.76\n", 1023) = 16
getuid32() = 1000
geteuid32() = 0
write(2, "This /bin/ps is not secure for s"..., 49This /bin/ps is not secure for setuid operation.
) = 49
_exit(1) |
|
Back to top |
|
|
Houdini Apprentice
Joined: 14 Jun 2002 Posts: 224 Location: New Mexico Tech, Socorro, NM
|
Posted: Tue Sep 03, 2002 6:16 am Post subject: |
|
|
I suspect some of the security options in the kernel (GRSecurity, right?) went awry. Try rebuilding a kernel with all that turned off. If it works, start turning things on one by one. I know, it sounds like a lot of work, but it might fix the system. _________________ ^]:wq |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Tue Sep 03, 2002 6:20 am Post subject: |
|
|
OK, one other thing I should have asked first. Is /bin/ps setuid? If so, do you know why? Could you try Code: | # chmod 555 /bin/ps | ...and see if that helps anything? _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
rew n00b
Joined: 28 Aug 2002 Posts: 47 Location: Oregon
|
Posted: Tue Sep 03, 2002 6:23 am Post subject: |
|
|
rac: that worked, but i dont care about that as much as I care about getting su to work :-) still have the original problem
------------------------------------
the other dude: sorry, no security settings in the kernel |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Tue Sep 03, 2002 6:31 am Post subject: |
|
|
rew wrote: | rac: that worked, but i dont care about that as much as I care about getting su to work still have the original problem |
OK, back to the log. What logger do you have? Is there anything authorization, su, or PAM-related in any of the files you do have in /var/log? What are the contents of /etc/pam.d/su? _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
rew n00b
Joined: 28 Aug 2002 Posts: 47 Location: Oregon
|
Posted: Tue Sep 03, 2002 6:40 am Post subject: logging |
|
|
returns of `emerge -s .*log.*` show I have:
metalog (0.6-r10)
pam-login (3.6-r2)
also~
`cat /var/log/critical/current` shows:
Aug 24 22:02:49 [login(pam_unix)] check pass; user unknown
Aug 24 22:04:47 [login(pam_unix)] service(login) ignoring max retries; 4 > 3
which is not exactly the right date but so far, that is the best login type file i can do for ya right now
lastly~
`cat /etc/pam.d/su` Code: | #%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
|
does that help any? (i will keep looking for intesrting log files and update this post when i find them) |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Tue Sep 03, 2002 6:56 am Post subject: |
|
|
How long have you had this installation running? Did su suddenly stop working? Has it ever worked on this installation? What network daemons are you running? Are you using NIS? Have you noticed anything else unusual about this computer lately? _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Tue Sep 03, 2002 2:09 pm Post subject: |
|
|
I haven't heard mention of the /etc/suauth file. What do you have in it? _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
ebrostig Bodhisattva
Joined: 20 Jul 2002 Posts: 3152 Location: Orlando, Fl
|
Posted: Tue Sep 03, 2002 6:39 pm Post subject: |
|
|
One thing that nobody have asked you, is what is the permission for your /bin/su program?
Mine is : -rwsr-xr-x.
If I change this to -rwxr-xr-x I get the following error when I try to su another user:
Password:
su: Authentication failure
Sorry.
Hope this helps! |
|
Back to top |
|
|
blasterboy n00b
Joined: 30 Aug 2002 Posts: 57 Location: Belgium
|
Posted: Tue Sep 03, 2002 7:23 pm Post subject: Did you edit the group file manually by any chance ? |
|
|
Did you edit the group file manually by any chance ? I did and gave me the same problems...
As root, I edited the group file manually, and added my user to wheel group. This gave me the correct response when typing groups command that I was in the wheel group, but didn't let me su from that user to root.
It does work when I used the usermod command as given here in the forums somewhere :
usermod -G users,wheel user
My guess is that usermod does more than just edit the group file...
BB |
|
Back to top |
|
|
ebrostig Bodhisattva
Joined: 20 Jul 2002 Posts: 3152 Location: Orlando, Fl
|
Posted: Tue Sep 03, 2002 8:39 pm Post subject: Re: Did you edit the group file manually by any chance ? |
|
|
blasterboy wrote: | Did you edit the group file manually by any chance ? I did and gave me the same problems...
As root, I edited the group file manually, and added my user to wheel group. This gave me the correct response when typing groups command that I was in the wheel group, but didn't let me su from that user to root.
It does work when I used the usermod command as given here in the forums somewhere :
usermod -G users,wheel user
My guess is that usermod does more than just edit the group file...
BB |
I have never used usermod for anything and no, the only thing necessary is to edit the /etc/groups file.
I'm pretty sure that his permission on the executable is incorrect as I demonstrated in my previous post.
Erik |
|
Back to top |
|
|
rew n00b
Joined: 28 Aug 2002 Posts: 47 Location: Oregon
|
Posted: Wed Sep 04, 2002 1:56 am Post subject: |
|
|
IT works, thanks ebrostig, i just did a chmod a+s /bin/su and it seems to be working now. should i change it so only some have s or is it ok the way it is? (ps, thanks to everyone for their help) _________________ linux-2.4.20 i686 SMP
Tyan Tiger MP
Dual Athlon MP 1600+
512MB EEC (1/4)
PNY Verto 64MB - GeForce4 MX 420
'Cheep-ass NIC, CDRW & DVD' |
|
Back to top |
|
|
ebrostig Bodhisattva
Joined: 20 Jul 2002 Posts: 3152 Location: Orlando, Fl
|
Posted: Wed Sep 04, 2002 1:58 am Post subject: |
|
|
rew wrote: | IT works, thanks ebrostig, i just did a chmod a+s /bin/su and it seems to be working now. should i change it so only some have s or is it ok the way it is? (ps, thanks to everyone for their help) |
Glad I could help!
It should have the mask I pasted in, you can get this by:
chmod a-s,u+s /bin/su
Erik |
|
Back to top |
|
|
barnie n00b
Joined: 04 Jul 2003 Posts: 21
|
Posted: Fri Jul 04, 2003 9:19 pm Post subject: wheel |
|
|
How is this "must be wheel" realized?
I do not have Gentoo - I'm currently only planning to have it soon, so I cannot look.
If su is owned by root.root and has u+s and o+x rights as you have posted before, then _everyone_ will suid to root and there will not be a must to be in wheel.
I think this should look like this:
-rwsr-xr-- su root wheel
to work as expected - not:
-rwsr-xr-x su root root
Or am I wrong? |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Mon Sep 08, 2003 5:40 am Post subject: |
|
|
I normally use sudo if i need "root" command for user. This is better alternative than just add them to "root user" group imho. If the user really really need full blow. he/she will still have to go thru sudo, i.e. sudo su -
with user password prompt so you can do some basic sysadmin security tracking of some sort combine with tripwire. |
|
Back to top |
|
|
claw n00b
Joined: 26 Jan 2004 Posts: 32 Location: Campbell, CA
|
Posted: Mon Jul 19, 2004 5:09 am Post subject: |
|
|
If you have sys-apps/shadow 4.0.4.1-r3, then more than "su" is broken. See Gentoo Bug 56129.
The fix is to "chmod u+s" all the files listed in that bug report. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|