So the other night i did a chgrp -R and accidentally changed the group of / to www. Realized it pretty quick, when trying to shutdown via Gnome, that I had messed something up. So I did chgrp -R root /* and let it finish. Shutting down worked just fine.
However I tried to su and it gave an authentication error. So something got missed, or fouled up and shouldn’t have the root group applied to it. Anyone point me in that direction?
This changed the group of all files/directories to root.
However I tried to su and it gave an authentication error. So something got missed, or fouled up and shouldn’t have the root group applied to it. Anyone point me in that direction?
I suppose your problem is related to the fact that /etc/shadow (i.e. where the passwords are stored) is normally owned by the group shadow, not root, and the group has read permissions.
Try to run “chkstat” as root. That should fix the permissions of most system files/folders.
If you get an error message, please post it.
And I guess you should run “chgrp -R users /home/*” at least.
when i try to run it doesn’t seem to do anything. I tried --set and --warn for the / directory. I manually chgrp the shadow file and shadow-, didn’t seem to affect su command. still get the authentication error. I can login to gnome as root (how i’m doing all of this)
And I guess you should run “chgrp -R users /home/*” at least.
I did remember to do that.
Really appreciate the assistance.
Did you get any output?
Run it with --system and DON’T specify /, just this:
chkstat --set --system
(although --set shouldn’t even be necessary)
AHH… OK… That got su working and here is the output… looks like everything it found it could fix properly.
Checking permissions and ownerships - using the permissions files
/etc/permissions
/etc/permissions.easy
/etc/permissions.d/mail-server
/etc/permissions.d/postfix
/etc/permissions.local
setting /var/spool/uucp/ to uucp:uucp 0755. (wrong owner/group uucp:root)
setting /etc/ppp/ to root:dialout 0750. (wrong owner/group root:root)
setting /usr/lib/utempter/utempter to root:utmp 2755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/at to root:trusted 4755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/crontab to root:trusted 4755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/gpasswd to root:shadow 4755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/newgrp to root:root 4755. (wrong permissions 0755)
setting /usr/bin/passwd to root:shadow 4755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/chfn to root:shadow 4755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/chage to root:shadow 4755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/chsh to root:shadow 4755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/expiry to root:shadow 4755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/sudo to root:root 4755. (wrong permissions 0755)
setting /sbin/mount.nfs to root:root 4755. (wrong permissions 0755)
setting /usr/bin/eject to root:audio 4755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/fusermount to root:trusted 4755. (wrong owner/group root:root permissions 0755)
setting /sbin/unix_chkpwd to root:shadow 4755. (wrong owner/group root:root permissions 0755)
setting /sbin/unix2_chkpwd to root:shadow 4755. (wrong owner/group root:root permissions 0755)
setting /usr/lib/gnome-pty-helper to root:utmp 2755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/wall to root:tty 2755. (wrong owner/group root:root permissions 0755)
setting /usr/bin/write to root:tty 2755. (wrong owner/group root:root permissions 0755)
setting /sbin/pccardctl to root:trusted 4755. (wrong owner/group root:root permissions 0755)
setting /usr/sbin/mgnokiidev to root:uucp 4755. (wrong owner/group root:root permissions 0755)
setting /usr/lib/libgnomesu/gnomesu-pam-backend to root:root 4755. (wrong permissions 0755)
setting /usr/bin/ping to root:root 0755 "= cap_net_raw+ep". (wrong missing capabilities)
setting /usr/bin/ping6 to root:root 0755 "= cap_net_raw+ep". (wrong missing capabilities)
setting /usr/lib64/kde4/libexec/kcheckpass to root:shadow 4755. (wrong owner/group root:root permissions 0755)
setting /usr/lib64/kde4/libexec/kdesud to root:nogroup 2755. (wrong owner/group root:root permissions 0755)
setting /usr/lib64/kde4/libexec/start_kdeinit to root:root 4755. (wrong permissions 0755)
setting /usr/lib/polkit-1/polkit-agent-helper-1 to root:root 4755. (wrong permissions 0755)
setting /usr/bin/pkexec to root:root 4755. (wrong permissions 0755)
setting /lib/dbus-1/dbus-daemon-launch-helper to root:messagebus 4750. (wrong owner/group root:root permissions 0750)
setting /usr/sbin/lockdev to root:lock 2755. (wrong owner/group root:root permissions 0755)
setting /usr/lib/chrome_sandbox to root:root 4755. (wrong permissions 0755)
setting /usr/bin/su to root:root 4755. (wrong permissions 0755)
setting /usr/bin/mount to root:root 4755. (wrong permissions 0755)
setting /usr/bin/umount to root:root 4755. (wrong permissions 0755)
The root cause was likely removing of SUID/SGID bits from various programs including su. Changing ownership resets SUID/SGID bits as security measure.
opensuse:/tmp # touch xxx
opensuse:/tmp # chmod +x,u+s xxx
opensuse:/tmp # LC_ALL=C ll xxx
-rwsrwxrwt 1 bor bor 0 May 2 11:07 xxx
opensuse:/tmp # chgrp root xxx
opensuse:/tmp # LC_ALL=C ll xxx
-rwxrwxrwt 1 bor root 0 May 2 11:07 xxx
opensuse:/tmp #
Right. The output from chkstat shows that the suid/sgid bits were missing.
/etc/shadow can only be read by its owner (root) and its group (shadow normally), because of the missing suid/sgid bits those utilities only ran as the normal user and could not access it therefore.