LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 07-26-2013, 11:22 AM   #1
san2ban
Member
 
Registered: May 2013
Location: Bengaluru / India
Distribution: Slackware14.1-64bit
Posts: 74

Rep: Reputation: Disabled
slackware hardening tips -Su: authentication failure


Dear slackers

Followed below link
http://www.linuxquestions.org/questi...4/#comment5965

Now, I unable to su
Code:
bash-4.2$ su
Password: 
su: Authentication failure
bash-4.2$
How to undo this?
 
Old 07-26-2013, 11:47 AM   #2
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,142

Rep: Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526
Have you joined the wheel group?

I don know why you did that to yourself BTW, but the easy answer is

Code:
usermod -aG  wheel  your_user
 
Old 07-27-2013, 10:01 AM   #3
san2ban
Member
 
Registered: May 2013
Location: Bengaluru / India
Distribution: Slackware14.1-64bit
Posts: 74

Original Poster
Rep: Reputation: Disabled
Code:
bash-4.2# groups san2ban
san2ban : users wheel
bash-4.2#
Yes, I am in wheel
The reason I did this is because, when I used to do sudo, it used to say I am not in the sudoer's list, though I was in 'wheel' group. Hence, just thought that this (su hardened thread) might help in getting out of this situation
Code:
bash-4.2# cat /etc/sudoers
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias	WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias	ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# 			    /usr/bin/pkill, /usr/bin/top

##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find   
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods.  Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!/sbin/reboot !log_output

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

## Same thing without a password
 #%wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo	ALL=(ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
bash-4.2#

Last edited by san2ban; 07-27-2013 at 10:05 AM.
 
Old 07-27-2013, 11:38 AM   #4
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,142

Rep: Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526
Just for the laugh, make a new luser with the wheel group as his default group
Code:
useradd -g wheel -G <whatever> -s /bin/bash [options & stuff]  luser
see if luser can su.
 
Old 07-28-2013, 10:39 AM   #5
san2ban
Member
 
Registered: May 2013
Location: Bengaluru / India
Distribution: Slackware14.1-64bit
Posts: 74

Original Poster
Rep: Reputation: Disabled
Businesskid
Tried as you said. luser cannot su.

Is the article in he link correct? Has somebody checked and vetted it?
 
Old 07-28-2013, 10:51 AM   #6
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,142

Rep: Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526
There is some thing 'visudo'for editing sudoers.

As youŕe in slackware, slackware has sudo (probably in ~/a/ or ~/ap/) and you can simply

upgradepkg --reinstall

to overwrite it. You then rename the sudoers.new to sudoers, and youŕe back to vanilla.
 
Old 07-28-2013, 11:11 AM   #7
BCarey
Senior Member
 
Registered: Oct 2005
Location: New Mexico
Distribution: Slackware
Posts: 1,452

Rep: Reputation: Disabled
Using chown on the file (rather unexpectedely) changes its permissions from
Code:
-rws--x--x
to
Code:
-rwx--x--x
resulting in this behavior. You can fix this with
Code:
chmod 4711 /bin/su
. Edit: or if you want to turn of the global permissions then
Code:
chmod 4710 /bin/su
.

Brian

Last edited by BCarey; 07-28-2013 at 11:17 AM.
 
Old 08-01-2013, 12:08 PM   #8
san2ban
Member
 
Registered: May 2013
Location: Bengaluru / India
Distribution: Slackware14.1-64bit
Posts: 74

Original Poster
Rep: Reputation: Disabled
Still, I cannot su
Code:
bash-4.2$ ls -l `which su`
-rws--x--x 1 root wheel 66800 Sep 14  2012 /bin/su
bash-4.2$ sudo ldd -v `which su`
Password:
	linux-vdso.so.1 (0x00007ffff1b75000)
	libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f33be275000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f33bdeb5000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f33be4ca000)

	Version information:
	/bin/su:
		libcrypt.so.1 (GLIBC_2.2.5) => /lib64/libcrypt.so.1
		libc.so.6 (GLIBC_2.3) => /lib64/libc.so.6
		libc.so.6 (GLIBC_2.14) => /lib64/libc.so.6
		libc.so.6 (GLIBC_2.2.5) => /lib64/libc.so.6
	/lib64/libcrypt.so.1:
		libc.so.6 (GLIBC_2.14) => /lib64/libc.so.6
		libc.so.6 (GLIBC_PRIVATE) => /lib64/libc.so.6
		libc.so.6 (GLIBC_2.2.5) => /lib64/libc.so.6
	/lib64/libc.so.6:
		ld-linux-x86-64.so.2 (GLIBC_2.3) => /lib64/ld-linux-x86-64.so.2
		ld-linux-x86-64.so.2 (GLIBC_PRIVATE) => /lib64/ld-linux-x86-64.so.2
bash-4.2$ su
Password: 
su: Authentication failure
bash-4.2$
 
Old 08-02-2013, 09:16 AM   #9
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,142

Rep: Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526
I'll bet it's the sudoers file. You've got it so hardened you can't use it :-P. In your honour, I have uploaded a sudoers file rigged the other way - total access. It's HERE

Please do us the favour of downloading it, and trying it. At least it checks whether my guess is correct. Feel free to delete it afterwards. It's something I thought about in 12.1 and have just copied ever since.
 
Old 08-02-2013, 09:53 AM   #10
fatalfrrog
Member
 
Registered: May 2011
Distribution: Slackware
Posts: 43

Rep: Reputation: 15
Other people are mentioning permission issues, but that shouldn't be it because you can actually execute su. Instead you are getting an auth failure. san2ban, are you typing your user's password or root's password when you su? You'll need to use root's password for su.

This hack that you did would make it to where you cannot even try to su (i.e. it wouldn't ask for a password) if you aren't part of the wheel group. Since it does ask for a password after issuing su, it would appear that this hack is not causing the issue.
 
Old 08-02-2013, 11:27 AM   #11
san2ban
Member
 
Registered: May 2013
Location: Bengaluru / India
Distribution: Slackware14.1-64bit
Posts: 74

Original Poster
Rep: Reputation: Disabled
Code:
bash-4.2$ su
Password: 
su: Authentication failure
bash-4.2$ slackpkg update
bash: slackpkg: command not found
bash-4.2$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
bash-4.2$ sudo cat /etc/sudoers
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias	WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias	ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# 			    /usr/bin/pkill, /usr/bin/top

##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find   
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods.  Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!/sbin/reboot !log_output

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

## Same thing without a password
#%wheel ALL=(ALL) NOPASSWD: ALL
%users	ALL=(ALL)	NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo	ALL=(ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
bash-4.2$
Business_kid
I compared the file that you mentioned with my /etc/sudoers. Only %users All=All line was missing. I added that. Still I cannot su. I cannot update because of following
Code:
bash-4.2$ sudo slackpkg update
sudo: slackpkg: command not found
bash-4.2$ 
bash-4.2$ sudo slackpkg update
sudo: slackpkg: command not found
bash-4.2$ slackpkg update
bash: slackpkg: command not found
bash-4.2$
Due to above, somebody's suggestion of reinstalling sudo also cannot be done

fatalfrog
I confirm that I use root password when I su.

Except reinstall, I am ready to try anything that is suggested

Last edited by san2ban; 08-02-2013 at 11:47 AM.
 
Old 08-02-2013, 01:38 PM   #12
fatalfrrog
Member
 
Registered: May 2011
Distribution: Slackware
Posts: 43

Rep: Reputation: 15
Can you login as root at all? Do ctl+alt+f2 and try logging in as root.

Quote:
bash-4.2$ slackpkg update
bash: slackpkg: command not found
This is normal because slackpkg is not in your user's path. Try doing it with /usr/sbin/slackpkg (or /sbin/slackpkg...can't remember).
 
Old 08-02-2013, 02:38 PM   #13
e5150
Member
 
Registered: Oct 2005
Location: Sweden
Distribution: Slackware
Posts: 73

Rep: Reputation: 41
/etc/sudoers has nothing to do with `su`. What, if anything, is the content of your /etc/suauth?

(And note that if you've added yourself to the wheel group but have yet to log in again, then `groups <username>` will report you as a member of wheel, but running `groups` without any arguments will not. Group membership changes does not affect the running sessions.)

(Also note that "%users ALL=(ALL) NOPASSWD: ALL" in your sudoers file will allow any member of users to run anything as root without a password, once you've got all this sorted out you ought to reconsider whether this appropriate or not.)
 
Old 08-02-2013, 03:24 PM   #14
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,142

Rep: Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526Reputation: 526
Yes, it's appropriate. All is me :-). It would be most inappropriate on a server.
/etc/suauth is original & untouched and I'm sure you have one of those.
 
Old 08-03-2013, 11:38 AM   #15
san2ban
Member
 
Registered: May 2013
Location: Bengaluru / India
Distribution: Slackware14.1-64bit
Posts: 74

Original Poster
Rep: Reputation: Disabled
Code:
bash-4.2$ /usr/sbin/slackpkg update

Only root can install, upgrade, or remove packages.
Please log in as root or contact your system administrator.
bash-4.2$
I cannot login as root or su
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Most Common Linux Server's Hardening Tips LXer Syndicated Linux News 0 07-15-2013 07:30 AM
Searching tips for bash script hardening norbert74 Linux - Security 6 02-09-2010 12:26 PM
LXer: Top 20 Linux Server Hardening Security Tips LXer Syndicated Linux News 0 10-30-2009 07:50 PM
Slackware hardening guide tangle Slackware 4 03-14-2005 09:47 PM
Hardening Slackware AhYup Slackware 8 03-07-2005 06:35 PM


All times are GMT -5. The time now is 07:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration