User can't "su -" to root

Gabriander · January 18, 2017, 11:58am

Hello.

I have a RHEL 7.2 where a regular user can't make a "su -" to reach root account:

server532:t711740:/$ id
uid=75456(t711740) gid=10000(personales) groups=10000(personales),10(wheel)

tehrh532:t711740:/$ su -
Password:
su: Permission denied

But can make "sudo su -"

server532:t711740:/$ sudo su -
[sudo] password for t711740:

server532:root:/root# id
uid=0(root) gid=0(root) groups=0(root),70000(emergencia)

What could be the problem? Any idea?

server532:root:/root# grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash

server532:root:/root# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
tty0
tty1
tty2
tty3
tty4
tty5
tty6

server532:root:/root# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so group=wheel root_only use_uid
auth            include         system-auth-su
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         optional        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         include         system-auth
session         optional        pam_xauth.so

server532:root:/root# ls -l /bin/su
-rwsr-xr-x. 1 root root 32072 Aug 21  2015 /bin/su

Scrutinizer · January 18, 2017, 12:52pm

Hi,

what is in system-auth-su ?
Can we exclude the obvious difference that in the first case the root password must be entered and in the second case the user password?

Gabriander · January 18, 2017, 2:34pm

server532:root:/etc/pam.d# cat system-auth-su
auth     required       pam_env.so
auth     sufficient     pam_fprintd.so
unlock_time=600
auth     sufficient     pam_unix.so nullok try_first_pass
auth     sufficient     pam_ldap.so try_first_pass ignore_unknown_user
auth     [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
auth     sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600
auth     required       pam_deny.so

account  required       pam_unix.so
account  sufficient     pam_localuser.so
account  sufficient     pam_succeed_if.so uid < 1000 quiet
account  required       pam_permit.so

password   required     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 lcredit=-1
password   sufficient   pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password   required     pam_deny.so

session optional        pam_keyinit.so revoke
session required        pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required        pam_unix.so

Yes, we can exclude it.