Normal users can't su to root? Why not?

jon_k · 05-13-2004, 07:48 PM

I've gotton root to a server from which is profesionally hosted.

I have root access, and I've found out that if I log in as a user then go

su
<type password here>

then it says

[jon_k@sls-dc4p3 root]$ su
Password:
su: incorrect password
[jon_k@sls-dc4p3 jon_k]$

I am _sure_ this is the password i've tried it hundreds of times.

I can ssh in to the box as root and then do su jon_k and get in to jon_k fine.

Is there a security feature disabling su to root? If so how could i disable it?

Please help me I'm pulling my hair out on this it's frustrating as hell!
ANY HELP APPRICIATED, THANK YOU!

jtshaw · 05-13-2004, 08:56 PM

On many machine users have to been in the wheel group to su. Also, sometimes admins will disable su completely and make users use sudo instead.

jon_k · 05-13-2004, 08:59 PM

How do I get my user in the "wheel" to be able to SU.

I've got root to this box, so I can fix this if anyone knows how to get me in the "wheel" as explained above.

jtshaw · 05-13-2004, 10:05 PM

Edit /etc/group

Somewhere in there there will be a line like this wheel:x:username1,usernamer2

Add your user to this list (comma is the dilimeter).

rdmenotte · 05-13-2004, 10:08 PM

It would probably be safer and quicker to do this :-)

gpasswd -a username wheel

Of course you would want to change username with a user like Tom, Harry, etc thus making it look like:

gpasswd -a rdmenotte wheel

man gpasswd for some options :-)

have phun!!

jtshaw · 05-13-2004, 10:14 PM

Eh... why are people so scared of text files?

Balban · 05-13-2004, 11:52 PM

Doesn’t su need to run as root, so that it can access the password files?, I get the same error after I change its access rights

rdmenotte · 05-14-2004, 12:35 AM

It's not that people are scared of text files... but why open the file, find the line, edit and save and still have the possibility to screw it up? Why not just use the tool and be correct?

SciYro · 05-14-2004, 12:46 AM

gpasswd --help and you'll see why

and see what happens when you don't enter in a password when you use su,, but i think Balban is correct

rdmenotte · 05-14-2004, 10:26 AM

actually... I was just saying to use gpasswd to add users to groups...

jon_k · 05-14-2004, 12:07 PM

Okay, tried what was mentioned:

-----------------------------------------------------

Code:

[root@sls-dc4p3 home]# gpasswd -a jon_k wheel
Adding user jon_k to group wheel
[root@sls-dc4p3 home]# su jon_k
[jon_k@sls-dc4p3 home]$ su
Password:
su: incorrect password
[jon_k@sls-dc4p3 home]$ su
Password:
su: incorrect password
[jon_k@sls-dc4p3 home]$

-----------------------------------------------------

See, still doesn't work. Any idea? :/

Thank you.

Jon Kelley

jon_k · 05-15-2004, 01:57 AM

*bump*

kj6loh · 07-09-2004, 04:09 PM

The thing about this system is that su has been disabled. If you are using pam, a lot of linux users are and don't even know it, then check the su config file in pam and it should have something like this.

In fedora core 2 it's in /etc/pam.d/su. Add this line

auth required /lib/security/$ISA/pam_wheel.so use_uid

Then only those in the wheel group will be able to use su. Everyone will still be able to run it. But everyone not in the wheel group will get an incorrect password response, no matter what password you enter, does not matter if it is correct or not.

I'm looking for something similar. I have a post in another part of the board about su and wheel group. but I do not want to disable su for some people.