Switch to su

HuaMin · June 2, 2013, 8:22am

Hi,
I've put the correct root password but why do I get this below?

huamin@SOL11I:~$ su
Password: 
su: Sorry
huamin@SOL11I:~$

Many Thanks & Best Regards,
HuaMin

MadeInGermany · June 2, 2013, 9:20am

Something with "su" in the syslog messages?

HuaMin · June 2, 2013, 9:12pm

I've just rerun "su" again and within syslog file, I only get these

Jun  3 08:55:14 SOL11I sendmail[967]: [ID 702911 mail.warning] My unqualified host name (SOL11I) unknown; sleeping for retry
Jun  3 08:55:14 SOL11I sendmail[963]: [ID 702911 mail.crit] My unqualified host name (SOL11I) unknown; sleeping for retry
Jun  3 08:56:14 SOL11I sendmail[967]: [ID 702911 mail.warning] unable to qualify my own domain name (SOL11I) -- using short name
Jun  3 08:56:14 SOL11I sendmail[963]: [ID 702911 mail.alert] unable to qualify my own domain name (SOL11I) -- using short name
Jun  3 08:56:15 SOL11I sendmail[1742]: [ID 702911 mail.info] starting daemon (8.14.5+Sun): queueing@00:15:00
Jun  3 08:56:15 SOL11I sendmail[967]: [ID 702911 mail.warning] gethostbyaddr(?.?.241.122) failed: 1
Jun  3 08:56:15 SOL11I sendmail[1744]: [ID 702911 mail.info] starting daemon (8.14.5+Sun): SMTP+queueing@00:15:00

Many Thanks & Best Regards,
HuaMin

alister · June 2, 2013, 9:58pm

I don't use solaris, but I've read that if RBAC is used to turn root into a role, then a user cannot su unless they are allowed to assume the root role.

Regards,
Alister

---------- Post updated at 09:58 PM ---------- Previous update was at 09:55 PM ----------

This link may be of use:
Configuring and Using RBAC - System Administration Guide: Security Services - How to Make root User Into a Role

Regards,
Alister

HuaMin · June 2, 2013, 10:45pm

Hi,
I try to put this for root, within /etc/user_attr. What should be put for "profiles" below?

root::::type=role;auths=solaris.*,solaris.grant;profiles=...

How about that it disallows me to change this file?

/etc/user_attr

Many Thanks & Best Regards,
HuaMin

MadeInGermany · June 3, 2013, 4:01am

And the other syslog file?

grep -iw syslog /etc/default/su

should have SYSLOG=YES

grep -wi su /var/adm/messages

And the file that is written by su itself

tail /var/adm/sulog

HuaMin · June 3, 2013, 6:14am

Thanks. Here are what I've got

huamin@SOL11I:~$ grep -iw syslog /etc/default/su
# SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used
SYSLOG=YES
huamin@SOL11I:~$ grep -wi su /var/adm/messages
Jun  1 15:22:59 SOL11I su: [ID 810491 auth.crit] 'su root' failed for huamin on /dev/pts/2
Jun  3 09:07:12 SOL11I su: [ID 810491 auth.crit] 'su root' failed for huamin on /dev/pts/1
huamin@SOL11I:~$ tail /var/adm/sulog
tail: cannot open input
huamin@SOL11I:~$

Many Thanks & Best Regards,
HuaMin

MadeInGermany · June 3, 2013, 6:45am

Please do the following debugging commands:

getent passwd root
grep '^root' /etc/shadow
grep '^[^#]' /etc/default/su
egrep "^su|^other" /etc/pam.conf

HuaMin · June 3, 2013, 7:05am

Thanks. Here are what I've got

huamin@SOL11I:~$ getent passwd root
root:x:0:0:Super-User:/root:/usr/bin/bash
huamin@SOL11I:~$ grep '^root' /etc/shadow
grep: can't open /etc/shadow
huamin@SOL11I:~$ grep '^[^#]' /etc/default/su
SULOG=/var/adm/sulog
SYSLOG=YES
huamin@SOL11I:~$ egrep "^su|^other" /etc/pam.conf
huamin@SOL11I:~$

Many Thanks & Best Regards,
HuaMin

os2mac · June 3, 2013, 4:08pm

you have to grant yourself permission to assume the role of root in /etc/user_attr like this:

user::::lock_after_retries=no;profiles=System Administrator;roles=root

the important part here is

roles=root

it's also important to point out that if you don't set

lock_after_retries=no

it will be extremely difficult to recover the server in the event that your password locks, unless you have another user authed to assume root.

Also is this a new server? did you do sysconfig? If you did, it will ask you to setup the first user, which will automatically granted these permissions. If you skipped that, you may have to back and reconfig the server to create that user so you can use that user to su to root so you can change /etc/user_attr

HuaMin · June 3, 2013, 9:49pm

Here is /etc/user_attr file

oracle::::roles=root;lock_after_retries=no
root::::type=role
huamin::::lock_after_retries=no;profiles=System Administrator;roles=root

Yes, it is a new server and "huamin" is the 1st user I've created.

Many Thanks & Best Regards,
HuaMin

os2mac · June 3, 2013, 10:29pm

is it possible you locked root? have you checked /etc/shadow for the root passwd status?

HuaMin · June 3, 2013, 11:12pm

Sorry, I get "Permission denied" to view the file using my current login. What to change?

huamin@SOL11I:~$ ls -l /etc/shadow
-r--------   1 root     sys          744 Jun  3 09:07 /etc/shadow

Many Thanks & Best Regards,
HuaMin

GP81 · June 4, 2013, 10:31am

Boot from cd/dvd, then mount disk and check what is in /etc/shadow.
Maybe you just don't remember valid password, so you can edit /etc/shadow and remove password for root when you boot from cd/dvd.

HuaMin · June 4, 2013, 11:20am

It is actually run inside Virtualbox. Do you know there is a way to boot it from CD/DVD?

Many Thanks & Best Regards,
HuaMin

os2mac · June 4, 2013, 1:07pm

Principal would be the same. Set the .iso as a the CDrom device and start the VM it should boot from the CD first and then do the normal procedure to mount the FS and change /etc/vfstab.

---------- Post updated at 09:07 AM ---------- Previous update was at 09:04 AM ----------

Question? are you using this as a testbed? or Training exercise? seems to me if that's all this is it would be easier to just reload?

jlliagre · June 4, 2013, 3:40pm

@HuaMin: what about, when logged in as huamin, running sudo -s and providing your own password ? That's the way you su to root with Solaris 11.