View previous topic :: View next topic |
Author |
Message |
josephg l33t
Joined: 10 Jan 2016 Posts: 783 Location: usually offline
|
Posted: Sun Jan 17, 2016 4:40 pm Post subject: su permission denied [solved] |
|
|
i can't seem to su. i know i'm typing the correct passwords. is there somewhere i need to set su permissions?
Code: | $ su anotheruser
Password:
su: Permission denied |
update: i found this faq sorry for bothering you all..
SA2: Why can't I su to root?
Last edited by josephg on Tue Apr 25, 2017 7:31 am; edited 6 times in total |
|
Back to top |
|
|
apiaio Guru
Joined: 04 Dec 2008 Posts: 417
|
Posted: Sun Jan 17, 2016 5:18 pm Post subject: |
|
|
Are you member of the wheel group? And sudo group maybe but not sure if it is necessary for su command at the moment. |
|
Back to top |
|
|
josephg l33t
Joined: 10 Jan 2016 Posts: 783 Location: usually offline
|
Posted: Sun Jan 17, 2016 5:27 pm Post subject: |
|
|
that's exactly what i'm thinking.. this is su not sudo
and no, i didn't want this user in the wheel group. i think wheel group is relevant to sudo, not su?? |
|
Back to top |
|
|
apiaio Guru
Joined: 04 Dec 2008 Posts: 417
|
Posted: Sun Jan 17, 2016 5:33 pm Post subject: |
|
|
AFAIK ,the wheel group is used to control access to the su command, which allows a user to masquerade as another user . |
|
Back to top |
|
|
josephg l33t
Joined: 10 Jan 2016 Posts: 783 Location: usually offline
|
Posted: Sun Jan 17, 2016 8:18 pm Post subject: |
|
|
afaik the wheel group is dangerous, as in, if i add a user to wheel, that user can run any command or do anything as root.
su just allows a user to run another command or temp login as another user, not necessarily as root. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sun Jan 17, 2016 9:54 pm Post subject: |
|
|
josephg wrote: | afaik the wheel group is dangerous, as in, if i add a user to wheel, that user can run any command or do anything as root. su just allows a user to run another command or temp login as another user, not necessarily as root. |
josephg ... wheel is a lot less permissive than you imagine, though, due to configuration it will allow any user in that group to 'su' and so gain superuser privilages ... but that's basically what su is for. So, you can't have it both ways ... 'su' but not be superuser.
Code: | # grep wheel /etc/pam.d/su
auth required pam_wheel.so use_uid |
So, do you trust yourself to become root? If so then add yourself to the 'wheel' group.
Code: | # usermod -a -G wheel josephg |
If you want more fine grained control of what "a user" can do then use app-admin/sudo.
best ... khay |
|
Back to top |
|
|
josephg l33t
Joined: 10 Jan 2016 Posts: 783 Location: usually offline
|
Posted: Sun Jan 17, 2016 10:19 pm Post subject: |
|
|
thanks apiaio and khayyam, i stand corrected. i added my user to wheel, and it allows su. i have had to remove wheel from sudoers, for this reason.
i never had to do this on any of the other distros that i've used before.. basically su would allow you to become that user, if you knew that user password. simple.
sudo to become that user without knowing that user password.. sounds strange? but there are many use cases where this is very handy.
i've been using a combination of the two above, all along. till now..
i see the gentoo viewpoint now. yes this is a bit more secure. i just need to use another group for sudoers. |
|
Back to top |
|
|
Syl20 l33t
Joined: 04 Aug 2005 Posts: 619 Location: France
|
Posted: Mon Jan 18, 2016 11:38 am Post subject: |
|
|
josephg wrote: | sudo to become that user without knowing that user password.. sounds strange? but there are many use cases where this is very handy. |
Yes. For example, you can set a very hard password for root, store it into a strong-box, and never give it to nobody (even you). Even better, you can lock the root account (with passwd -l), and permit authorized admins to manage the system with sudo only. Like this, you know who made what.
Quote: | i just need to use another group for sudoers. |
That's trivial. Juste replace %wheel by another custom-made group in your sudoers file.
You can also authorize users individually. |
|
Back to top |
|
|
josephg l33t
Joined: 10 Jan 2016 Posts: 783 Location: usually offline
|
Posted: Mon Jan 18, 2016 6:22 pm Post subject: |
|
|
CneGroumF wrote: | lock the root account (with passwd -l), and permit authorized admins to manage the system with sudo only. |
that is debian default since many years. set at install.
CneGroumF wrote: | replace %wheel by another custom-made group in your sudoers file. |
again, debian uses "sudo" group for this purpose.
which is what i was trying to replicate, when i encountered this issue |
|
Back to top |
|
|
apiaio Guru
Joined: 04 Dec 2008 Posts: 417
|
Posted: Mon Jan 18, 2016 7:30 pm Post subject: |
|
|
josephg wrote: |
that is debian default since many years. set at install.
| In Gentoo is installed many years too, but no by default. You can make choice to enable wheel or sudo group or not. |
|
Back to top |
|
|
josephg l33t
Joined: 10 Jan 2016 Posts: 783 Location: usually offline
|
Posted: Tue Apr 25, 2017 7:23 am Post subject: |
|
|
this is how gentoo restricts su to wheel group only.
Code: | $ cat /etc/pam.d/su | grep wheel
#auth required pam_wheel.so use_uid |
i resolved this long outstanding issue, by commenting out that line, thanks to TheJJ @stackexchange. |
|
Back to top |
|
|
|