Results 1 to 7 of 7

Thread: su authentication failure

  1. #1

    Question su authentication failure

    So the other night i did a chgrp -R and accidentally changed the group of / to www. Realized it pretty quick, when trying to shutdown via Gnome, that I had messed something up. So I did chgrp -R root /* and let it finish. Shutting down worked just fine.

    However I tried to su and it gave an authentication error. So something got missed, or fouled up and shouldn't have the root group applied to it. Anyone point me in that direction?

  2. #2

    Default Re: su authentication failure

    Quote Originally Posted by troykent View Post
    So the other night i did a chgrp -R and accidentally changed the group of / to www. Realized it pretty quick, when trying to shutdown via Gnome, that I had messed something up. So I did chgrp -R root /* and let it finish. Shutting down worked just fine.
    This changed the group of _all_ files/directories to root.

    However I tried to su and it gave an authentication error. So something got missed, or fouled up and shouldn't have the root group applied to it. Anyone point me in that direction?
    I suppose your problem is related to the fact that /etc/shadow (i.e. where the passwords are stored) is normally owned by the group shadow, not root, and the group has read permissions.

    Try to run "chkstat" as root. That should fix the permissions of most system files/folders.
    If you get an error message, please post it.

    And I guess you should run "chgrp -R users /home/*" at least.
    Last edited by wolfi323; 01-May-2014 at 16:55.

  3. #3

    Default Re: su authentication failure

    Quote Originally Posted by wolfi323 View Post
    This changed the group of _all_ files/directories to root.


    I suppose your problem is related to the fact that /etc/shadow (i.e. where the passwords are stored) is normally owned by the group shadow, not root, and the group has read permissions.

    Try to run "chkstat" as root. That should fix the permissions of most system files/folders.
    If you get an error message, please post it.
    when i try to run it doesn't seem to do anything. I tried --set and --warn for the / directory. I manually chgrp the shadow file and shadow-, didn't seem to affect su command. still get the authentication error. I can login to gnome as root (how i'm doing all of this)

    And I guess you should run "chgrp -R users /home/*" at least.
    I did remember to do that.

    Really appreciate the assistance.

  4. #4

    Default Re: su authentication failure

    Quote Originally Posted by troykent View Post
    when i try to run it doesn't seem to do anything. I tried --set and --warn for the / directory.
    Did you get any output?

    Run it with --system and DON'T specify /, just this:
    Code:
    chkstat --set --system
    (although --set shouldn't even be necessary)
    Last edited by wolfi323; 01-May-2014 at 17:10.

  5. #5

    Default Re: su authentication failure

    Quote Originally Posted by wolfi323 View Post
    Did you get any output?

    Run it with --system and DON'T specify /, just this:
    Code:
    chkstat --set --system
    (although --set shouldn't even be necessary)
    AHH... OK.. That got su working and here is the output... looks like everything it found it could fix properly.

    Code:
    Checking permissions and ownerships - using the permissions files
        /etc/permissions
        /etc/permissions.easy
        /etc/permissions.d/mail-server
        /etc/permissions.d/postfix
        /etc/permissions.local
    setting /var/spool/uucp/ to uucp:uucp 0755. (wrong owner/group uucp:root)
    setting /etc/ppp/ to root:dialout 0750. (wrong owner/group root:root)
    setting /usr/lib/utempter/utempter to root:utmp 2755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/at to root:trusted 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/crontab to root:trusted 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/gpasswd to root:shadow 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/newgrp to root:root 4755. (wrong permissions 0755)
    setting /usr/bin/passwd to root:shadow 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/chfn to root:shadow 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/chage to root:shadow 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/chsh to root:shadow 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/expiry to root:shadow 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/sudo to root:root 4755. (wrong permissions 0755)
    setting /sbin/mount.nfs to root:root 4755. (wrong permissions 0755)
    setting /usr/bin/eject to root:audio 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/fusermount to root:trusted 4755. (wrong owner/group root:root permissions 0755)
    setting /sbin/unix_chkpwd to root:shadow 4755. (wrong owner/group root:root permissions 0755)
    setting /sbin/unix2_chkpwd to root:shadow 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/lib/gnome-pty-helper to root:utmp 2755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/wall to root:tty 2755. (wrong owner/group root:root permissions 0755)
    setting /usr/bin/write to root:tty 2755. (wrong owner/group root:root permissions 0755)
    setting /sbin/pccardctl to root:trusted 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/sbin/mgnokiidev to root:uucp 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/lib/libgnomesu/gnomesu-pam-backend to root:root 4755. (wrong permissions 0755)
    setting /usr/bin/ping to root:root 0755 "= cap_net_raw+ep". (wrong missing capabilities)
    setting /usr/bin/ping6 to root:root 0755 "= cap_net_raw+ep". (wrong missing capabilities)
    setting /usr/lib64/kde4/libexec/kcheckpass to root:shadow 4755. (wrong owner/group root:root permissions 0755)
    setting /usr/lib64/kde4/libexec/kdesud to root:nogroup 2755. (wrong owner/group root:root permissions 0755)
    setting /usr/lib64/kde4/libexec/start_kdeinit to root:root 4755. (wrong permissions 0755)
    setting /usr/lib/polkit-1/polkit-agent-helper-1 to root:root 4755. (wrong permissions 0755)
    setting /usr/bin/pkexec to root:root 4755. (wrong permissions 0755)
    setting /lib/dbus-1/dbus-daemon-launch-helper to root:messagebus 4750. (wrong owner/group root:root permissions 0750)
    setting /usr/sbin/lockdev to root:lock 2755. (wrong owner/group root:root permissions 0755)
    setting /usr/lib/chrome_sandbox to root:root 4755. (wrong permissions 0755)
    setting /usr/bin/su to root:root 4755. (wrong permissions 0755)
    setting /usr/bin/mount to root:root 4755. (wrong permissions 0755)
    setting /usr/bin/umount to root:root 4755. (wrong permissions 0755)

  6. #6
    Join Date
    Sep 2012
    Posts
    7,106

    Default Re: su authentication failure

    Quote Originally Posted by wolfi323 View Post

    I suppose your problem is related to the fact that /etc/shadow (i.e. where the passwords are stored) is normally owned by the group shadow, not root, and the group has read permissions.
    The root cause was likely removing of SUID/SGID bits from various programs including su. Changing ownership resets SUID/SGID bits as security measure.
    Code:
    opensuse:/tmp # touch xxx
    opensuse:/tmp # chmod +x,u+s xxx
    opensuse:/tmp # LC_ALL=C ll xxx
    -rwsrwxrwt 1 bor bor 0 May  2 11:07 xxx
    opensuse:/tmp # chgrp root xxx
    opensuse:/tmp # LC_ALL=C ll xxx
    -rwxrwxrwt 1 bor root 0 May  2 11:07 xxx
    opensuse:/tmp #

  7. #7

    Default Re: su authentication failure

    Quote Originally Posted by arvidjaar View Post
    The root cause was likely removing of SUID/SGID bits from various programs including su. Changing ownership resets SUID/SGID bits as security measure.
    Right. The output from chkstat shows that the suid/sgid bits were missing.

    /etc/shadow can only be read by its owner (root) and its group (shadow normally), because of the missing suid/sgid bits those utilities only ran as the normal user and could not access it therefore.
    Last edited by wolfi323; 02-May-2014 at 04:03.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •