LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-16-2007, 09:13 AM   #1
worldgnat
Member
 
Registered: Oct 2004
Posts: 337

Rep: Reputation: 30
Possible security bug with SU, or am I crazy?


I just tried to su, typed my password wrong, did ctrl+c, and I got this:

[petdav@localhost ~]$ su
Password:

bash-3.1# su
[root@localhost petdav]#

It looks like I managed to su without entering the correct password. Is this legit, or did I type the right password and it was just taking longer than usual? It's never given me the bash-3.1# line before - it looks like init 3 or something. I was in Gnome and the graphics didn't flicker or anything, so it didn't hit init 3. weird...

-Peter
 
Old 02-16-2007, 01:03 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Is this legit, or did I type the right password and it was just taking longer than usual?
If unsure *always* first check the logs. So, what does your syslog say?


It's never given me the bash-3.1# line before - it looks like init 3 or something. I was in Gnome and the graphics didn't flicker or anything, so it didn't hit init 3. weird...
No, that's not runlevel three but just Bash wasn't intialised with resource files that set the prompt and such.
 
Old 02-17-2007, 12:39 AM   #3
worldgnat
Member
 
Registered: Oct 2004
Posts: 337

Original Poster
Rep: Reputation: 30
/var/log/messages gave me this:
Code:
Feb 16 11:25:45 localhost kernel: NET: Registered protocol family 10
Feb 16 11:25:45 localhost kernel: lo: Disabled Privacy Extensions
Feb 16 11:25:45 localhost kernel: Mobile IPv6
Feb 16 11:25:45 localhost kernel: fglrx: module license 'Proprietary. (C) 2002 - ATI Technologies, Starnberg, GERMANY' taints kernel.
Feb 16 11:25:45 localhost kernel: [fglrx] Maximum main memory to use for locked dma buffers: 802 MBytes.
Feb 16 11:25:45 localhost kernel: [fglrx] module loaded - fglrx 8.33.6 [Jan  8 2007] on minor 0
Feb 16 11:25:45 localhost kernel: ACPI: PCI Interrupt 0000:01:05.0[A] -> GSI 17 (level, low) -> IRQ 16
Feb 16 11:25:45 localhost pcscd: pcscdaemon.c:464:main() pcsc-lite 1.3.1 daemon ready.
Feb 16 11:25:45 localhost kernel: ACPI: AC Adapter [ACAD] (off-line)
Feb 16 11:25:45 localhost kernel: ACPI: Battery Slot [BAT1] (battery present)
Feb 16 11:25:45 localhost kernel: ACPI: Power Button (FF) [PWRF]
Feb 16 11:25:45 localhost kernel: ACPI: Power Button (CM) [PWRB]
Feb 16 11:25:45 localhost kernel: ACPI: Sleep Button (CM) [SLPB]
Feb 16 11:25:45 localhost kernel: ACPI: Lid Switch [LID]
Feb 16 11:25:45 localhost kernel: ibm_acpi: ec object not found
Feb 16 11:25:45 localhost kernel: ACPI: Video Device [VGA] (multi-head: yes  rom: no  post: no)
Feb 16 11:25:45 localhost kernel: md: Autodetecting RAID arrays.
Feb 16 11:25:45 localhost kernel: md: autorun ...
Feb 16 11:25:45 localhost kernel: md: ... autorun DONE.
Feb 16 11:25:45 localhost kernel: device-mapper: multipath: version 1.0.5 loaded
Feb 16 11:25:45 localhost kernel: EXT3 FS on dm-0, internal journal
Feb 16 11:25:45 localhost kernel: kjournald starting.  Commit interval 5 seconds
Feb 16 11:25:45 localhost kernel: EXT3 FS on hda2, internal journal
Feb 16 11:25:45 localhost kernel: EXT3-fs: mounted filesystem with ordered data mode.
Feb 16 11:25:45 localhost kernel: SELinux: initialized (dev hda2, type ext3), uses xattr
Feb 16 11:25:45 localhost kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Feb 16 11:25:45 localhost kernel: Adding 1835000k swap on /dev/VolGroup00/LogVol01.  Priority:-1 extents:1 across:1835000k
Feb 16 11:25:45 localhost kernel: SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Feb 16 11:25:45 localhost kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Feb 16 11:25:45 localhost kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Feb 16 11:25:45 localhost kernel: Netfilter messages via NETLINK v0.30.
Feb 16 11:25:45 localhost kernel: ip_conntrack version 2.4 (7159 buckets, 57272 max) - 232 bytes per conntrack
Feb 16 11:25:45 localhost kernel: process `sysctl' is using deprecated sysctl (syscall) net.ipv6.neigh.lo.retrans_time; Use net.ipv6.neigh.lo.retrans_time_ms instead.
Feb 16 11:25:45 localhost kernel: ndiswrapper version 1.36 loaded (preempt=no,smp=yes)
Feb 16 11:25:45 localhost kernel: ndiswrapper: driver bcmwl5 (Broadcom,02/11/2005, 3.100.64.0) loaded
Feb 16 11:25:45 localhost kernel: ACPI: PCI Interrupt 0000:05:02.0[A] -> GSI 20 (level, low) -> IRQ 22
Feb 16 11:25:45 localhost kernel: ndiswrapper: using IRQ 22
Feb 16 11:25:45 localhost kernel: wlan0: ethernet device 00:14:a5:15:43:05 using NDIS driver: bcmwl5, version: 0x3644000, NDIS version: 0x501, vendor: '', 14E4:4318.5.conf
Feb 16 11:25:45 localhost kernel: wlan0: encryption modes supported: WEP; TKIP with WPA, WPA2, WPA2PSK; AES/CCMP with WPA, WPA2, WPA2PSK
Feb 16 11:25:45 localhost kernel: usbcore: registered new interface driver ndiswrapper
Feb 16 11:25:45 localhost kernel: ndiswrapper: changing interface name from 'wlan0' to 'eth1'
Feb 16 11:25:45 localhost kernel: ADDRCONF(NETDEV_UP): eth1: link is not ready
Feb 16 11:25:45 localhost kernel: SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
Feb 16 11:25:45 localhost kernel: Bluetooth: L2CAP ver 2.8
Feb 16 11:25:45 localhost kernel: Bluetooth: L2CAP socket layer initialized
Feb 16 11:25:45 localhost kernel: Bluetooth: RFCOMM socket layer initialized
Feb 16 11:25:45 localhost kernel: Bluetooth: RFCOMM TTY layer initialized
Feb 16 11:25:45 localhost kernel: Bluetooth: RFCOMM ver 1.8
Feb 16 11:25:45 localhost kernel: Bluetooth: HIDP (Human Interface Emulation) ver 1.1
Feb 16 11:25:45 localhost hidd[2516]: Bluetooth HID daemon
Feb 16 11:25:46 localhost kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
Feb 16 11:25:46 localhost automount[2531]: lookup_read_master: lookup(nisplus): couldn't locat nis+ table auto.master
Feb 16 11:25:46 localhost kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
Feb 16 11:25:46 localhost kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
Feb 16 11:25:46 localhost hpiod: 1.6.12 accepting connections at 2208... 
Feb 16 11:25:49 localhost gpm[2633]: *** info [startup.c(95)]: 
Feb 16 11:25:49 localhost gpm[2633]: Started gpm successfully. Entered daemon mode.
Feb 16 11:25:54 localhost avahi-daemon[2742]: Found user 'avahi' (UID 70) and group 'avahi' (GID 70).
Feb 16 11:25:54 localhost avahi-daemon[2742]: Successfully dropped root privileges.
Feb 16 11:25:54 localhost avahi-daemon[2742]: avahi-daemon 0.6.16 starting up.
Feb 16 11:25:54 localhost avahi-daemon[2742]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Feb 16 11:25:55 localhost avahi-daemon[2742]: Successfully called chroot().
Feb 16 11:25:55 localhost avahi-daemon[2742]: Successfully dropped remaining capabilities.
Feb 16 11:25:55 localhost avahi-daemon[2742]: Loading service file /services/sftp-ssh.service.
Feb 16 11:25:55 localhost avahi-daemon[2742]: Network interface enumeration completed.
Feb 16 11:25:55 localhost avahi-daemon[2742]: Registering HINFO record with values 'I686'/'LINUX'.
Feb 16 11:25:55 localhost avahi-daemon[2742]: Server startup complete. Host name is localhost.local. Local service cookie is 3874812886.
Feb 16 11:25:55 localhost avahi-daemon[2742]: Service "SFTP File Transfer on localhost" (/services/sftp-ssh.service) successfully established.
Feb 16 11:26:03 localhost kernel: cdrom: This disc doesn't have any tracks I recognize!
Feb 16 11:26:10 localhost dhcdbd: Started up.
Feb 16 11:26:10 localhost NetworkManager: <information>	starting... 
Feb 16 11:26:10 localhost NetworkManager: <information>	Adding VPN service 'org.freedesktop.NetworkManager.openvpn' with name 'openvpn' and program '/usr/bin/nm-openvpn-service' 
Feb 16 11:26:11 localhost NetworkManager: <information>	Adding VPN service 'org.freedesktop.NetworkManager.vpnc' with name 'vpnc' and program '/usr/bin/nm-vpnc-service' 
Feb 16 11:26:11 localhost NetworkManager: <information>	eth0: Device is fully-supported using driver '8139too'. 
Feb 16 11:26:11 localhost NetworkManager: <information>	nm_device_init(): waiting for device's worker thread to start 
Feb 16 11:26:11 localhost kernel: eth0: link down
Feb 16 11:26:11 localhost kernel: ADDRCONF(NETDEV_UP): eth0: link is not ready
Feb 16 11:26:11 localhost NetworkManager: <information>	nm_device_init(): device's worker thread started, continuing. 
Feb 16 11:26:11 localhost NetworkManager: <information>	Now managing wired Ethernet (802.3) device 'eth0'. 
Feb 16 11:26:11 localhost NetworkManager: <information>	Deactivating device eth0. 
Feb 16 11:26:11 localhost kernel: ADDRCONF(NETDEV_UP): eth1: link is not ready
Feb 16 11:26:11 localhost NetworkManager: <information>	eth1: Device is fully-supported using driver 'ndiswrapper'. 
Feb 16 11:26:11 localhost NetworkManager: <information>	nm_device_init(): waiting for device's worker thread to start 
Feb 16 11:26:11 localhost NetworkManager: <information>	nm_device_init(): device's worker thread started, continuing. 
Feb 16 11:26:11 localhost NetworkManager: <information>	Now managing wireless (802.11) device 'eth1'. 
Feb 16 11:26:11 localhost NetworkManager: <information>	Deactivating device eth1. 
Feb 16 11:26:11 localhost NetworkManager: <WARNING>	 nm_device_802_11_wireless_set_essid (): error setting ESSID to '' for device eth1: Invalid argument 
Feb 16 11:26:12 localhost smartd[2895]: smartd version 5.36 [i386-redhat-linux-gnu] Copyright (C) 2002-6 Bruce Allen 
Feb 16 11:26:12 localhost smartd[2895]: Home page is http://smartmontools.sourceforge.net/  
Feb 16 11:26:12 localhost smartd[2895]: Opened configuration file /etc/smartd.conf 
Feb 16 11:26:12 localhost smartd[2895]: Configuration file /etc/smartd.conf parsed. 
Feb 16 11:26:12 localhost smartd[2895]: Device: /dev/hda, opened 
Feb 16 11:26:12 localhost smartd[2895]: Device: /dev/hda, found in smartd database. 
Feb 16 11:26:13 localhost smartd[2895]: Device: /dev/hda, is SMART capable. Adding to "monitor" list. 
Feb 16 11:26:13 localhost smartd[2895]: Monitoring 1 ATA and 0 SCSI devices 
Feb 16 11:26:13 localhost smartd[2897]: smartd has fork()ed into background mode. New PID=2897. 
Feb 16 11:26:16 localhost pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
Feb 16 11:26:16 localhost last message repeated 3 times
Feb 16 11:26:19 localhost kernel: [fglrx] PCIe has already been initialized. Reinitializing ...
Feb 16 11:26:51 localhost gconfd (petdav-3117): starting (version 2.14.0), pid 3117 user 'petdav'
Feb 16 11:26:51 localhost gconfd (petdav-3117): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Feb 16 11:26:51 localhost gconfd (petdav-3117): Resolved address "xml:readwrite:/home/petdav/.gconf" to a writable configuration source at position 1
Feb 16 11:26:51 localhost gconfd (petdav-3117): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Feb 16 11:26:54 localhost hcid[2426]: Default passkey agent (:1.11, /org/bluez/applet) registered
Feb 16 11:26:55 localhost gconfd (petdav-3117): Resolved address "xml:readwrite:/home/petdav/.gconf" to a writable configuration source at position 0
Feb 16 11:26:59 localhost pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
Feb 16 11:27:00 localhost last message repeated 4 times
Feb 16 11:27:02 localhost yum-updatesd: error getting update info: Cannot open/read repomd.xml file for repository: livna
Feb 16 11:27:04 localhost NetworkManager: <information>	Updating allowed wireless network lists. 
Feb 16 11:27:56 localhost kernel: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Feb 16 11:27:57 localhost avahi-daemon[2742]: New relevant interface eth1.IPv6 for mDNS.
Feb 16 11:27:57 localhost avahi-daemon[2742]: Joining mDNS multicast group on interface eth1.IPv6 with address fe80::214:a5ff:fe15:4305.
Feb 16 11:27:57 localhost avahi-daemon[2742]: Registering new address record for fe80::214:a5ff:fe15:4305 on eth1.
Feb 16 11:28:03 localhost dhclient: Internet Systems Consortium DHCP Client V3.0.5-RedHat
Feb 16 11:28:03 localhost dhclient: Copyright 2004-2006 Internet Systems Consortium.
Feb 16 11:28:03 localhost dhclient: All rights reserved.
Feb 16 11:28:03 localhost dhclient: For info, please visit http://www.isc.org/sw/dhcp/
Feb 16 11:28:03 localhost dhclient: 
Feb 16 11:28:03 localhost dhclient: Listening on LPF/eth1/00:14:a5:15:43:05
Feb 16 11:28:03 localhost dhclient: Sending on   LPF/eth1/00:14:a5:15:43:05
Feb 16 11:28:03 localhost dhclient: Sending on   Socket/fallback
Feb 16 11:28:03 localhost dhclient: DHCPREQUEST on eth1 to 255.255.255.255 port 67
Feb 16 11:28:03 localhost dhclient: DHCPACK from 10.16.0.2
Feb 16 11:28:03 localhost avahi-daemon[2742]: New relevant interface eth1.IPv4 for mDNS.
Feb 16 11:28:03 localhost avahi-daemon[2742]: Joining mDNS multicast group on interface eth1.IPv4 with address 10.16.5.240.
Feb 16 11:28:03 localhost avahi-daemon[2742]: Registering new address record for 10.16.5.240 on eth1.
Feb 16 11:28:03 localhost avahi-daemon[2742]: Withdrawing address record for 10.16.5.240 on eth1.
Feb 16 11:28:03 localhost avahi-daemon[2742]: Leaving mDNS multicast group on interface eth1.IPv4 with address 10.16.5.240.
Feb 16 11:28:03 localhost avahi-daemon[2742]: iface.c: interface_mdns_mcast_join() called but no local address available.
Feb 16 11:28:03 localhost avahi-daemon[2742]: Interface eth1.IPv4 no longer relevant for mDNS.
Feb 16 11:28:03 localhost avahi-daemon[2742]: New relevant interface eth1.IPv4 for mDNS.
Feb 16 11:28:03 localhost avahi-daemon[2742]: Joining mDNS multicast group on interface eth1.IPv4 with address 10.16.5.240.
Feb 16 11:28:03 localhost avahi-daemon[2742]: Registering new address record for 10.16.5.240 on eth1.
Feb 16 11:28:03 localhost NET[3459]: /sbin/dhclient-script : updated /etc/resolv.conf
Feb 16 11:28:03 localhost dhclient: bound to 10.16.5.240 -- renewal in 201915 seconds.
Feb 16 11:40:05 localhost gnome-power-manager: (petdav) Suspending computer because the lid has been closed on battery power
Feb 16 11:40:05 localhost NetworkManager: <information>	Going to sleep. 
Feb 16 11:40:05 localhost avahi-daemon[2742]: Interface eth1.IPv6 no longer relevant for mDNS.
Feb 16 11:40:05 localhost avahi-daemon[2742]: Leaving mDNS multicast group on interface eth1.IPv6 with address fe80::214:a5ff:fe15:4305.
Feb 16 11:40:05 localhost avahi-daemon[2742]: Interface eth1.IPv4 no longer relevant for mDNS.
Feb 16 11:40:05 localhost avahi-daemon[2742]: Leaving mDNS multicast group on interface eth1.IPv4 with address 10.16.5.240.
Feb 16 11:40:05 localhost avahi-daemon[2742]: Withdrawing address record for fe80::214:a5ff:fe15:4305 on eth1.
Feb 16 11:40:05 localhost avahi-daemon[2742]: Withdrawing address record for 10.16.5.240 on eth1.
Feb 16 11:40:05 localhost dhclient: receive_packet failed on eth1: Network is down
Feb 16 11:40:10 localhost hidd[2516]: Exit
Feb 16 11:40:11 localhost sdpd[2430]: terminating...   
Feb 16 11:40:11 localhost hcid[2426]: Unregister path:/org/bluez/hci0
Feb 16 11:40:11 localhost hcid[2426]: Unregister path:/org/bluez
Feb 16 11:40:11 localhost hcid[2426]: Exit
I see nothing pertinent to su, but I may be wrong. I had to truncate it a little, but I only cut some leading boot up info.
-Peter

Last edited by unSpawn; 02-17-2007 at 04:45 AM. Reason: //moderator adds BB code tags for readability
 
Old 02-17-2007, 05:45 AM   #4
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
I guess "su" would be logged somewhere else plus you'd have to have "su" logging enabled.

I'm guessing its just a typo and you've actually already put in the correct password.Try and recreate the problem again. When you got the bash-3.1# prompt you're already root so the su after that isn't really relevant.

Try and log on as a normal user and do a su with a wrong password again and post back if the behaviour repeats itself. Unless you have a miraculously slow disk I would pretty much rule out speed being the issue though unless you're doing all your logins from a remote server and all such logins are slow..(root and nonroot).

Post back with an update if still problems.

Cheers
Arvind
 
Old 02-17-2007, 04:26 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
It's possible that there are some commands in root's .profile, .bash_profile, or .bashrc that could take a long time to return (maybe they rely on DNS and the request timed-out?). In that case you probably typed the correct password and your process had already changed UID to 0, but it was still trying to load the profile stuff, which is what you ctl + c'd out of.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
BUG: soft lockup detected on CPU#0 and BUG: spinlock recursion on CPU#0 ... BloodyCat Linux - Hardware 3 11-07-2006 01:14 PM
Poptop VPN security bug. byersjlpa Linux - Networking 2 10-11-2006 03:34 PM
Free86 bug or nVidia bug?? ProtoformX Linux - Software 2 05-12-2004 02:38 AM
security issue is driving me crazy safra Linux - Security 10 07-18-2002 11:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration