su: cannot set groups: Operation not permitted
I am running RedHat Enterprise version 4 (2.6.9-67). When I run the command "su -" from an regular user who is a secondary member of the wheel group I get the following error "su: cannot set groups: Operation not permitted" after entering the root password.
The permissions for /bin/su are at rwsr_xr_x. These are the pam files "su" and "sys-auth" #%PAM-1.0 auth sufficient /lib/security/$ISA/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required /lib/security/$ISA/pam_wheel.so use_uid auth required /lib/security/$ISA/pam_stack.so service=system-auth account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so close must be first session rule session required /lib/security/$ISA/pam_selinux.so close session required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so open and pam_xauth must be last two session rules session required /lib/security/$ISA/pam_selinux.so open session optional /lib/security/$ISA/pam_xauth.so ####################################################################### sys-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-2 dcredit=-2 ocredit=-2 ucredit=-2 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset account sufficient /lib/security/$ISA/pam_unix.so nullok use_athtok md5 shadow remember=5 Not sure what I am missing if need be I will supply an strace output but I didn't gleam anything from it but that doesn't mean too much. I'm not sure what to look for in the output. Thanks in advance |
what happens if you go :-
newgrp wheel su - It might give you a better idea whats happening if you go:- strace su - |
The group wheel already does exist.
The strace command gives alot of info but not sure what I am looking for. |
newgrp doesnt create the group - it switches the user to that group as its primary one.
If you try strace -o /root/dump.txt su - You can paste the results from /root/dump.txt here. |
The newgrp command did not work as far as allowing me to su -
Let me give you some more info I am running a set of scripts to security harden this workstation. I ran through each script individualy this morning and was able to su - , but after a reboot I receive the error message "su: incorrect password". I am using the correct password for thr root account. I thank you for taking a look at the trace file it is a little overwelming for me. also here is the error from /var/log/messages su(pam_unix)[6451] authentication failure; logname=root uid=4097 euid=4097 tty=pts/7 ruser=mfbb rhost= user=root strace output to large for this reply will attach it to another reply |
I need to cut the size of the strace output any suggestions as to where to cut?
|
The last few lines should probably be OK.
|
You could consider using sudo instead of su - if its a series of automated scripts.
|
getuid() = 4097
open("/etc/passwd", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=1450, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98c3f000 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1450 close(3) = 0 munmap(0x2a98c3f000, 4096) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 open("/etc/group", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=608, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98c3f000 read(3, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 608 close(3) = 0 munmap(0x2a98c3f000, 4096) = 0 stat("/etc/pam.d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 open("/etc/pam.d/system-auth", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0444, st_size=820, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98c3f000 read(3, "#%PAM-1.0\n# This file is auto-ge"..., 4096) = 820 open("/lib/security/$ISA/pam_env.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/security/../../lib64/security/pam_env.so", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\16\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=12624, ...}) = 0 mmap(NULL, 1059376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x2a995bb000 mprotect(0x2a995be000, 1047088, PROT_NONE) = 0 mmap(0x2a996bd000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x2000) = 0x2a996bd000 close(4) = 0 open("/lib/security/$ISA/pam_unix.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/security/../../lib64/security/pam_unix.so", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\00008\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=54576, ...}) = 0 mmap(NULL, 1150792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x2a996be000 mprotect(0x2a996cb000, 1097544, PROT_NONE) = 0 mmap(0x2a997ca000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0xc000) = 0x2a997ca000 mmap(0x2a997cb000, 48968, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2a997cb000 close(4) = 0 open("/etc/ld.so.cache", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=150624, ...}) = 0 mmap(NULL, 150624, PROT_READ, MAP_PRIVATE, 4, 0) = 0x2a997d7000 close(4) = 0 open("/lib64/libnsl.so.1", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`MP\340>\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=114976, ...}) = 0 mmap(NULL, 1145936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x2a997fc000 mprotect(0x2a99811000, 1059920, PROT_NONE) = 0 mmap(0x2a99910000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x14000) = 0x2a99910000 mmap(0x2a99912000, 7248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2a99912000 close(4) = 0 mprotect(0x2a99910000, 4096, PROT_READ) = 0 munmap(0x2a997d7000, 150624) = 0 open("/lib/security/$ISA/pam_deny.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/security/$ISA/pam_succeed_if.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/security/$ISA/pam_permit.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/security/../../lib64/security/pam_permit.so", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\7\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=4968, ...}) = 0 mmap(NULL, 1051728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x2a99914000 mprotect(0x2a99915000, 1047632, PROT_NONE) = 0 mmap(0x2a99a14000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0) = 0x2a99a14000 close(4) = 0 open("/lib/security/$ISA/pam_cracklib.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/security/../../lib64/security/pam_cracklib.so", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\17\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=13960, ...}) = 0 mmap(NULL, 1077120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x2a99a15000 mprotect(0x2a99a18000, 1064832, PROT_NONE) = 0 mmap(0x2a99b17000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x2000) = 0x2a99b17000 mmap(0x2a99b18000, 16256, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2a99b18000 close(4) = 0 open("/etc/ld.so.cache", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=150624, ...}) = 0 mmap(NULL, 150624, PROT_READ, MAP_PRIVATE, 4, 0) = 0x2a99b1c000 close(4) = 0 open("/usr/lib64/libcrack.so.2", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20:0\330>\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=40736, ...}) = 0 mmap(NULL, 1100320, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x2a99b41000 mprotect(0x2a99b49000, 1067552, PROT_NONE) = 0 mmap(0x2a99c49000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x8000) = 0x2a99c49000 mmap(0x2a99c4a000, 14880, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2a99c4a000 close(4) = 0 munmap(0x2a99b1c000, 150624) = 0 open("/lib/security/$ISA/pam_limits.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/security/../../lib64/security/pam_limits.so", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\27\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=20824, ...}) = 0 mmap(NULL, 1067848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x2a99c4e000 mprotect(0x2a99c53000, 1047368, PROT_NONE) = 0 mmap(0x2a99d52000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x4000) = 0x2a99d52000 close(4) = 0 read(3, "", 4096) = 0 close(3) = 0 munmap(0x2a98c3f000, 4096) = 0 open("/etc/pam.d/other", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=230, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98c3f000 read(3, "#%PAM-1.0\nauth required "..., 4096) = 230 read(3, "", 4096) = 0 close(3) = 0 munmap(0x2a98c3f000, 4096) = 0 getuid() = 4097 open("/etc/passwd", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=1450, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98c3f000 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1450 close(3) = 0 munmap(0x2a98c3f000, 4096) = 0 open("/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied) ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0 ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon -echo ...}) = 0 write(2, "Password: ", 10) = 10 read(0, "rootroot\n", 511) = 9 ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0 write(2, "\n", 1) = 1 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0 open("/etc/passwd", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=1450, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98c3f000 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1450 close(3) = 0 munmap(0x2a98c3f000, 4096) = 0 open("/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied) geteuid() = 4097 pipe([3, 4]) = 0 rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2a95df6770) = 6102 write(4, "rootroot\0", 9) = 9 close(3) = 0 close(4) = 0 wait4(6102, [{WIFEXITED(s) && WEXITSTATUS(s) == 7}], 0, NULL) = 6102 --- SIGCHLD (Child exited) @ 0 (0) --- getuid() = 4097 geteuid() = 4097 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 readlink("/proc/self/fd/0", "/dev/pts/7", 4095) = 10 access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) open("/var/run/utmp", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 lseek(3, 0, SEEK_SET) = 0 alarm(0) = 0 rt_sigaction(SIGALRM, {0x2a95ba6890, [], SA_RESTORER, 0x2a95ade2f0}, {SIG_DFL}, 8) = 0 alarm(1) = 0 fcntl(3, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 read(3, "\10\0\0\0\23\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\1\0\0\0005N\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\10\0\0\0v\17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\324\20\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\326\20\0\0tty2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\327\20\0\0tty3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\330\20\0\0tty4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\5\0\0\0\331\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\335\20\0\0tty6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\5\0\0\0\336\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\f\26\0\0:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\213\26\0\0pts/1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\277\26\0\0pts/2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\321\26\0\0pts/3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\342\26\0\0pts/4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\363\26\0\0pts/5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\4\27\0\0pts/6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\25\27\0\0pts/7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 fcntl(3, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 alarm(0) = 1 rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0 close(3) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 readlink("/proc/self/fd/0", "/dev/pts/7", 4095) = 10 access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) open("/var/run/utmp", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 lseek(3, 0, SEEK_SET) = 0 alarm(0) = 0 rt_sigaction(SIGALRM, {0x2a95ba6890, [], SA_RESTORER, 0x2a95ade2f0}, {SIG_DFL}, 8) = 0 alarm(1) = 0 fcntl(3, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 read(3, "\10\0\0\0\23\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\1\0\0\0005N\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\10\0\0\0v\17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\324\20\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\326\20\0\0tty2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\327\20\0\0tty3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\330\20\0\0tty4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\5\0\0\0\331\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\335\20\0\0tty6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\5\0\0\0\336\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\f\26\0\0:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\213\26\0\0pts/1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\277\26\0\0pts/2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\321\26\0\0pts/3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\342\26\0\0pts/4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\363\26\0\0pts/5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\4\27\0\0pts/6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\25\27\0\0pts/7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 fcntl(3, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 alarm(0) = 1 rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0 close(3) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 readlink("/proc/self/fd/0", "/dev/pts/7", 4095) = 10 access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) open("/var/run/utmp", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 lseek(3, 0, SEEK_SET) = 0 alarm(0) = 0 rt_sigaction(SIGALRM, {0x2a95ba6890, [], SA_RESTORER, 0x2a95ade2f0}, {SIG_DFL}, 8) = 0 alarm(1) = 0 fcntl(3, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 read(3, "\10\0\0\0\23\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\1\0\0\0005N\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\10\0\0\0v\17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\324\20\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\326\20\0\0tty2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\327\20\0\0tty3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\330\20\0\0tty4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\5\0\0\0\331\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\335\20\0\0tty6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\5\0\0\0\336\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\f\26\0\0:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\213\26\0\0pts/1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\277\26\0\0pts/2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\321\26\0\0pts/3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\342\26\0\0pts/4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\363\26\0\0pts/5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\4\27\0\0pts/6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\25\27\0\0pts/7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 fcntl(3, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 alarm(0) = 1 rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0 close(3) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 readlink("/proc/self/fd/0", "/dev/pts/7", 4095) = 10 access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) open("/var/run/utmp", O_RDWR) = -1 EACCES (Permission denied) open("/var/run/utmp", O_RDONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 lseek(3, 0, SEEK_SET) = 0 alarm(0) = 0 rt_sigaction(SIGALRM, {0x2a95ba6890, [], SA_RESTORER, 0x2a95ade2f0}, {SIG_DFL}, 8) = 0 alarm(1) = 0 fcntl(3, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 read(3, "\10\0\0\0\23\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\1\0\0\0005N\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\10\0\0\0v\17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\324\20\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\326\20\0\0tty2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\327\20\0\0tty3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\330\20\0\0tty4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\5\0\0\0\331\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\6\0\0\0\335\20\0\0tty6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\5\0\0\0\336\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\f\26\0\0:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\213\26\0\0pts/1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\277\26\0\0pts/2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\321\26\0\0pts/3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\342\26\0\0pts/4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\363\26\0\0pts/5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\4\27\0\0pts/6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 read(3, "\7\0\0\0\25\27\0\0pts/7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 fcntl(3, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 alarm(0) = 1 rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0 close(3) = 0 open("/etc/localtime", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98c3f000 read(3, "TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 1267 close(3) = 0 munmap(0x2a98c3f000, 4096) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0 getpid() = 6101 socket(PF_FILE, SOCK_DGRAM, 0) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 connect(3, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0 sendto(3, "<37>Feb 14 10:35:14 su(pam_unix)"..., 134, MSG_NOSIGNAL, NULL, 0) = 134 close(3) = 0 select(0, NULL, NULL, NULL, {2, 347378}) = 0 (Timeout) socket(PF_NETLINK, SOCK_RAW, 9) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 readlink("/proc/self/exe", "/bin/su", 4095) = 7 open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=21546, ...}) = 0 mmap(NULL, 21546, PROT_READ, MAP_SHARED, 4, 0) = 0x2a98c3f000 close(4) = 0 sendto(3, "\204\0\0\0L\4\5\0\1\0\0\0\0\0\0\0PAM authenticati"..., 132, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 132 poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 100) = 1 recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\325\27\0\0\377\377\377\377\204\0\0\0L\4\5\0\1\0\0\0"..., 8476, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\325\27\0\0\377\377\377\377\204\0\0\0L\4\5\0\1\0\0\0"..., 8476, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 getuid() = 4097 close(3) = 0 munmap(0x2a995bb000, 1059376) = 0 munmap(0x2a996be000, 1150792) = 0 munmap(0x2a997fc000, 1145936) = 0 munmap(0x2a99914000, 1051728) = 0 munmap(0x2a99a15000, 1077120) = 0 munmap(0x2a99b41000, 1100320) = 0 munmap(0x2a99c4e000, 1067848) = 0 munmap(0x2a98d70000, 1052160) = 0 munmap(0x2a98fa6000, 1061960) = 0 munmap(0x2a990aa000, 1059240) = 0 munmap(0x2a991ad000, 1067240) = 0 munmap(0x2a992b2000, 1060104) = 0 munmap(0x2a98e96000, 1111648) = 0 munmap(0x2a993b5000, 1066088) = 0 munmap(0x2a994ba000, 1051392) = 0 open("/usr/share/locale/locale.alias", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2528, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98c45000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2528 read(3, "", 4096) = 0 close(3) = 0 munmap(0x2a98c45000, 4096) = 0 open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, "su: ", 4) = 4 write(2, "incorrect password", 18) = 18 write(2, "\n", 1) = 1 exit_group(1) = ? |
Problem Solved: This was very painful had to execute each hardening script individually and reboot to see which script broke the su feature. It turned out that one of the scripts set the nosuid in the /etc/fstab file for the / partition. This was not good. Much thanks to Deleriux for support and the major job of looking over an strace output. what a guy.
|
su -
Most likely, su isn't setuid root, log in as root and type
# chmod u+s /bin/su that should fix it. If you can't login as root, AFAIK you're screwed. |
Just to report, I had the same issue. This set the setuid for root. Also check ownership and permissions for sudo beforehand. Both of mine were messed up:
sudo chmod 4755 su |
All times are GMT -5. The time now is 10:16 AM. |