"Permissions on the password database may be too restrictive"

hcgrant · 05-23-2007, 08:29 AM

Hi Folks
When i try to su to root in a console window I get the message

"Permissions on the password database may be too restrictive"

I've been messing around trying to correct ownership problems with chown and must have screwed something somewhere. I can ctrl-alt-F1 to a text console and login as root. However if I try to use any functions via the gui needing root privilages I get the message above or "su error"

Does anyone know which file the password database is in? I'm using Opensuse10.2 64 bit version

Thanks

jewillia · 05-23-2007, 09:34 AM

If you are using the standard password file and not LDAP or NIS or any other authentication, you will probably want to check the permissions on /etc/shadow and /etc/passwd. I think /etc/shadow should only be readable by root (400) and /etc/passwd should be readable/writable by root, readable by root group, and readable by everyone (644).

mmn357157 · 05-23-2007, 10:18 AM

hi,
/etc/passwd (644)
/etc/shadow (400)

...are the default permissions. if you made any changes, please revert to the defaults. never allow shadow file readable to other users!

if you are using KDE desktop, do the following. its a fix to KDE on SuSE.

Quote:

You need to edit the file /opt/kde3/share/config/kdeglobals as a root user and add the following line at the end of the file and save it:

[super-user-command]
super-user-command=su

I found this at http://www.linuxquestions.org/questi...d.php?t=551508

________________________________
mmn

hcgrant · 05-24-2007, 06:11 AM

Thanks Folks

Sorted!!!

I can now get YAST via the Gui

Z038 · 05-25-2007, 10:29 PM

I noticed that the permissions on my /etc/shadow file are 640, not 400.

Here is what I see:

Code:

-rw-r----- 1 root shadow 657 2006-12-02 22:42 shadow
-rw------- 1 root root   624 2006-12-02 22:42 shadow-
-rw------- 1 root root   607 2006-08-13 06:34 shadow.bak
-rw-r----- 1 root shadow 405 2003-06-16 19:50 shadow.new

Is this something I should be concerned about?

hcgrant · 05-26-2007, 03:27 AM

I'm guessing here , its possibly a distribution thing but
400 means root only can read the shadow file (security) but cant accidentally write to it. So if root is adding a new user he has to explicitly change the file permissions to write to the file. If chmod is only usable by root when logged in locally then a hacker (assuming a remote access ) cant add to the file.
Any one know about restrictions to chmod use ?