su: No shell/No directory! if sys is added to a users secondary group

agent001 · August 9, 2010, 5:38am

Hi,
When I include a user to the secondary group "sys" GID=3 in Solaris 9 OS I'm not able to login. I get these error. The user home directory and the shell exists. Is this because of any security hardening.

# su - agent
No directory!
# su agent
su: No shell

# grep taddm /etc/passwd
agent:x:5001:5001::/home/agent:/bin/ksh

# ls -ld /home/agent
drwxr-xr-x   2 agent    agent        512 Aug  9 10:10 /home/agent

# ls -l /bin/ksh
-r-xr-xr-x   3 root     bin       201076 Aug  9  2005 /bin/ksh

citaylor · August 9, 2010, 5:50am

Do you use the automounter at all ?
I setup the same as you had above on a generic Sol 9 box and it worked fine.
Could you also supply an "cat /etc/shells" , "grep agent /etc/group" and "cat /etc/nsswitch.conf".
Thx

agent001 · August 9, 2010, 6:00am

# cat /etc/shells
/usr/bin/sh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/jsh
/bin/sh
/bin/csh
/bin/ksh
/bin/jsh
/sbin/sh
/sbin/jsh
/sbin/noshell
/bin/bash
/bin/pfcsh
/bin/pfksh
/bin/pfsh
/bin/tcsh
/bin/zsh
/usr/bin/bash
/usr/bin/pfcsh
/usr/bin/pfksh
/usr/bin/pfsh
/usr/bin/tcsh
/usr/bin/zsh

# grep agent /etc/group
adm::4:root,adm,daemon,agent
sys::3:root,bin,sys,adm,agent
agent::5001:

#cat /etc/nsswitch.conf
passwd:     files
group:      files

I can login normally, I have this problem only when I add the user to the secondary group sys. Any idea?

citaylor · August 9, 2010, 6:05am

And do you use the automounter ?

agent001 · August 9, 2010, 6:10am

Hi, How could I find it? I have these configuration.

# tail /etc/auto_master
# Master map for automounter
#
+auto_master
/net            -hosts          -nosuid,nobrowse
/home           auto_home       -nobrowse
/xfn            -xfn

# more /etc/auto_home
# Home directory map for automounter
#
+auto_home

citaylor · August 9, 2010, 6:15am

/home auto_home -nobrowse

I believe this line indicates that it is.
I have had issues like this is the past from the automounter, and unless you *need* this functionality, I normally disable it by removing this line from /etc/auto_master and re-start the automounter.
This is not really a fix, but a workaround.
Another tack would be to checkout the Solaris Patches as it may well be a known issue.

agent001 · August 9, 2010, 6:22am

Hi, I'm afraid I cant disable it. Can this user home directory be moved to /export/home/agent instead of /home/agent. Will this fix the problem?

citaylor · August 9, 2010, 6:27am

My test was without automounter.
You can have home dir's anywhere, so its worth giving it a try.

agent001 · August 9, 2010, 7:06am

I changed the directory too, no good I still have the problem

ygemici · August 9, 2010, 9:35am

# svcadm disable svc:/system/filesystem/autofs
# mkdir /home/agent
# su - agent

citaylor · August 9, 2010, 9:45am

Do you have any Solaris Recommended Patches installed ?
May be worth trying to install a reasonable level.
Also it may be worth changing the Syslog level to debug and seeing if anything comes out of "su" when you try it.
Then the last thing I would try is to "truss" su on a working box, and on the faulty one and compare the outputs.

I hope this helps...

agent001 · August 9, 2010, 12:35pm

Hi, in /etc/mnttab "auto_mount" is not mounted, so automounter is not in used and I tried with the truss on this server for the same user with and without "sys" in secondary group. It was helpful, the problem seems to be with the file permission. Do you see any issue with permission here? Also the patch level is SunOS 5.9 Generic_118558-14

# ls -l /bin/ksh
-r-xr-xr-x   3 root     bin       201076 Aug  9  2005 /bin/ksh
# ls -ld /export/home/taddm
drwxr-x---   3 agent    agent        512 Aug  9 11:19 /export/home/agent

Command su agent, with "sys" in secondary group:

12100:  execve("/bin/ksh", 0xFFBFEC18, 0xFFBFFD20)      Err#13 EACCES
12100:  fstat64(2, 0xFFBFDD38)                          = 0
12100:  write(2, " s u :   N o   s h e l l".., 13)      = 13
12100:  _exit(3)

Command su agent without "sys" in secondary group:

11991:  execve("/bin/ksh", 0xFFBFEC18, 0xFFBFFD20)  argc = 1

======

Command su - agent with "sys" in secondary group:

9711:   setuid(5001)                                      = 0
9711:   chdir("/export/home/taddm")                     Err#13 EACCES
9711:   fstat64(2, 0xFFBFDD30)                          = 0
9711:   write(2, " N o   d i r e c t o r y".., 14)      = 14
9711:   _exit(1)

Command su - agent without "sys" in secondary group:

10003:  setuid(5001)                                      = 0
10003:  chdir("/export/home/taddm")                     = 0

citaylor · August 9, 2010, 12:56pm

I would suggest that ksh is trying to execute something from the users home directory and doesnt have access - Try adding "-a" and "-e" to the truss and see what is actually being executed.
Also, are you running RBAC ? There may be ACL's on ksh or the home dir.

agent001 · August 10, 2010, 11:56am

Hi citaylor,

The option -ae didn't return any different output with the truss command for these errors lines, they gave the same error without any arguments being passed.
In /etc/user_attr only these three configurations are available. Nothing was defined for ksh and su.

root::::auths=solaris.*,solaris.grant;profiles=All
lp::::profiles=Printer Management
adm::::profiles=Log Management

agent001 · August 12, 2010, 4:42am

After analyzing the truss output found issue with the file permission, most of the directories base directories like /var, /, /etc, /usr, /bin didn't have execute permission. I corrected them, but with the /dev and /devices directory the permission are correct but I get the the error in truss.

su2.out is the out put of the truss command

# grep EACCES su2.out | head
19941/1:        33.6355 open("/var/mail/agent", O_RDONLY)               Err#13 EACCES
19964/1:        47.6427 stat64("/dev/tty", 0xFFBFFB60)                  Err#13 EACCES
19964/1:        47.6446 stat64("/dev/console", 0xFFBFFB60)              Err#13 EACCES
19964/1:        47.6464 stat64("/dev/conslog", 0xFFBFFB60)              Err#13 EACCES
19964/1:        47.6481 stat64("/dev/syscon", 0xFFBFFB60)               Err#13 EACCES
19964/1:        47.6498 stat64("/dev/systty", 0xFFBFFB60)               Err#13 EACCES
19964/1:        47.6516 stat64("/dev/wscons", 0xFFBFFB60)               Err#13 EACCES
19964/1:        47.6534 stat64("/dev/ptmx", 0xFFBFFB60)                 Err#13 EACCES
19964/1:        47.6554 stat64("/dev/ttyp0", 0xFFBFFA58)                Err#13 EACCES
19964/1:        47.6592 stat64("/dev/ptyp0", 0xFFBFFA58)                Err#13 EACCES

# ls -l /dev/tty
lrwxrwxrwx   1 root     other         26 Nov  4  2005 /dev/tty -> ../devices/pseudo/sy@0:tty
# ls -l /devices/pseudo/sy@0:tty
crw-rw-rw-   1 root     tty       22,  0 Aug 11 17:37 /devices/pseudo/sy@0:tty

# grep EACCES su2.out | grep /dev | wc -l
    1286
# grep EACCES su2.out | wc -l
    1287

Also during login attempt I got the error "/dev/null: cannot create" and "ksh: /dev/null: cannot create" . I verified the permission it was correct and I re-applied the same permission for those files. These two errors vanished. But now I have to the same to 1286 files in /devices and it's link /dev. I tried with devfsadm command, but no good the problem still persist. Could you suggest any script to read all the file permission for files under /dev and /devices and re-apply the same? or read the /dev/* from the truss command output file and re-apply the files permission and also do the same to its relevant /devices file?

# ls -l /dev/null
lrwxrwxrwx   1 root     other         27 Nov  4  2005 /dev/null -> ../devices/pseudo/mm@0:null
# ls -l /devices/pseudo/mm@0:null
crw-rw-rw-   1 root     sys       13,  2 Aug  9 19:04 /devices/pseudo/mm@0:null