LinuxQuestions.org - [SOLVED] Unix-chkpwd problem with Linux-PAM-1.1-1 trying to run su from shadow-4.1.4.2

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Unix-chkpwd problem with Linux-PAM-1.1-1 trying to run su from shadow-4.1.4.2 (https://www.linuxquestions.org/questions/linux-security-4/unix-chkpwd-problem-with-linux-pam-1-1-1-trying-to-run-su-from-shadow-4-1-4-2-a-826418/)

hoes	08-15-2010 07:14 PM

Unix-chkpwd problem with Linux-PAM-1.1-1 trying to run su from shadow-4.1.4.2

I am trying to run su as a non privileged user to log in as root.
However, this only works when I make /etc/shadow world readable.
I have /lib/security/unix_chkpwd as a setuid root executable

I use the following pam-file for su:

Code:

# Begin /etc/pam.d/su



auth        sufficient      pam_rootok.so

auth        required        pam_unix.so

account    required        pam_unix.so

session    optional        pam_mail.so    dir=/var/mail standard

session    optional        pam_xauth.so

session    required        pam_env.so

session    required        pam_unix.so



# End /etc/pam.d/su

Has anyone got a clue to what's happening here?

hoes	08-15-2010 07:55 PM

I kept getting errors in auth.log like:

Code:

unix_chkpwd[7569]: check pass; user unknown

unix_chkpwd[7569]: password check failed for user (root)

su[7568]: pam_unix(su:auth): authentication failure;

logname=hugo uid=10056 euid=10056 tty=/dev/tty5 ruser=hugo rhost= user=root

su[7568]: pam_authenticate: Authentication failure

su[7568]: FAILED su for root by hugo

su[7568]: - /dev/tty5 hugo:root

I interpreted this as a failure of unix_chkpwd.
However, I had /bin/su as a regular executable.
Once I changed this to setuid root, everything worked.

So sorry, false alarm.

keypress

04-06-2016 06:44 AM

I have the same problem. What do you mean, that: "Once I changed this to setuid root, everything worked." What have you changed?

hoes	04-06-2016 01:39 PM

The /bin/su command should be run as root, even if it is called by a different user.
This can be done by having it owned by the root user and setting the setuid bit.
Have a look at: http://linuxg.net/how-to-set-the-set...inux-and-unix/

keypress

04-07-2016 03:25 AM

"chmod u+s /bin/su"

It works now. Thx a lot!

All times are GMT -5. The time now is 06:16 PM.