Cant su to root

bsddaemon · February 10, 2009, 4:34am

Hello, I can ssh as root directly, but when login as normal user, I cant su to root:

user@server:~% su
Password:

and in the /var/log/messages:

session opened for user root by user(uid=501)
session closed for user root

Im sure the root password is correct, any pointer?

otheus · February 10, 2009, 10:25am

Check /etc/pam.d/su. If you see a line like this:

auth           required        pam_wheel.so use_uid

without a # preceding it, then your username must be in the "wheel" group. Go to /etc/group, find the line starting with "wheel", and add user username to the end of it. (If there is already another username there, add a comma (,) and then your username).

bsddaemon · February 10, 2009, 8:58pm

user@server:~% grep "pam_wheel.so use_uid" /etc/pam.d/su                                                                
6:#auth       required     /lib/security/$ISA/pam_wheel.so use_uid

I dont think the admin who was installing the OS is knowledgeable enough to change this setting.

Btw, the OS is Red Hat.

I think I should describe this issue a bit further:

When prompting for the root password, after I type it the first time, there is no output and nothing happen, the second time, it complains "command not found"

user@server:~% su                                                            
Password:

bash: line 1: root_password: command not found

otheus · February 11, 2009, 6:10am

Why the "6:" in front of the output of the grep command?

Try

rpm -qf /bin/su

On my RedHat system, it gives "coreutils" with some version info. Now do this:

 rpm -q --verify coreutils

Any files whose permissions or md5 signatures have changed will be shown, like this:

S.5....T c /bin/su

If you see such a thing, your system has been compromised. If not, we'll investigate further.

bsddaemon · February 11, 2009, 9:33pm

Ah, it is just the line number. I used grep with the option showing line number.

Output:

coreutis-5.2.2-31.7

It gave me an empty output

Regards,

otheus · February 12, 2009, 2:08am

Good.

Now do:

type -a su

Also, if "ltrace" isn't installed, go ahead and install it.

bsddaemon · February 12, 2009, 10:13pm

% type -a su                                                                    
su is /bin/su

ltrace has been installed, how should I run it?

Regards,

bsddaemon · February 12, 2009, 10:18pm

% type -a su                                                                                               81
su is /bin/su

ltrace has been installed. How should I run it?

Regards,

otheus · February 12, 2009, 10:41pm

Just

ltrace su

You'll get loads of output. I guess it might be useful to post that output.

bsddaemon · February 13, 2009, 3:45am

Thats really weird! Neither root (I guess it required root password) nor my normal user password are correct. Im sure I typed both of them correctly:

% ltrace su
Password:
--- SIGCHLD (Child exited) ---
su: incorrect password
+++ exited (status 1) +++

In the /var/log/messages file:

authentication failure

otheus · February 13, 2009, 5:16am

Ack! that's what I get too. Silly su. I still suspect the problem is with PAM somehow. Please post the pam-su configuration file. If there are any lines with "include", post the correspdonding file also.

bagmc · February 13, 2009, 11:15am

You try it :

$ sudo passwd root

?

otheus · February 14, 2009, 4:32am

I thing bagmc means:

Have you tried?

$ sudo passwd root

bsddaemon · February 15, 2009, 8:19pm

% cat /etc/pam.d/su
#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    sufficient   /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so close
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session    required     /lib/security/$ISA/pam_selinux.so open
session    optional     /lib/security/$ISA/pam_xauth.so

Are you suggesting me to change root password? I do know root's password, I just wanna su from normal user to root. Btw, Im not in the sudoer file, I can edit that file, though.

Regards,

otheus · February 16, 2009, 3:41am

Putting yourself in the sudoers file is a better way in general of getting root access, because every command you do with sudo is then logged. Nevertheless, your error message is unusual and I want to help you with that. Please also attach the file "system-auth" from the pam.d directory.

Also, is SELINUX enabled and properly configured? If it's not enabled, don't worry about it.