Vraag & Antwoord

OS Linux

SU werkt niet

9 antwoorden
  • Jaja, ik ben vervelend de laatse tijd, maar dit is _echt_ mijn laatse LFS vraagje ;-) Op een één of andere manier werkt su niet, wel vanuit de root account maar de gewone user krijgt div errors. [code:1:99edafdfde] bash-2.05a$ su ] Password: ****** setgid: Operation not permitted bash-2.05a$ su dries ] Password: ***** initgroups: Operation not permitted bash-2.05a$ [/code:1:99edafdfde] Hoezo operation not permitted?? Ik vul toch m'n password in :oops: ? Mochten jullie 'm nodig hebben wil ik hier mijn /etc/login.defs wel even laten zien.... Bedankt, Barry
  • Op veel *nix systemen moet je in de wheel groep zitten om su uit te mogen voeren. Welicht werkt lfs ook op die manier.
  • Duidelijk niet ;-) [code:1:930ccef4b1] bash-2.05a$ cat /etc/login.defs # # /etc/login.defs - Configuration control definitions for the login package. # # $Id: login.defs.linux,v 1.12 2000/08/26 18:27:10 marekm Exp $ # # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. # If unspecified, some arbitrary (and possibly incorrect) value will # be assumed. All other items are optional - if not specified then # the described action or option will be inhibited. # # Comment lines (lines beginning with "#") and blank lines are ignored. # # Modified for Linux. --marekm # # Delay in seconds before being allowed another attempt after a login failure # FAIL_DELAY 3 # # Enable additional passwords upon dialup lines specified in /etc/dialups. # DIALUPS_CHECK_ENAB yes # # Enable logging and display of /var/log/faillog login failure info. # FAILLOG_ENAB yes # # Enable display of unknown usernames when login failures are recorded. # LOG_UNKFAIL_ENAB no # # Enable logging of successful logins # LOG_OK_LOGINS no # # Enable logging and display of /var/log/lastlog login time info. # LASTLOG_ENAB yes # # Enable checking and display of mailbox status upon login. # # Disable if the shell startup files already check for mail # ("mailx -e" or equivalent). # MAIL_CHECK_ENAB yes # # Enable additional checks upon password changes. # OBSCURE_CHECKS_ENAB yes # # Enable checking of time restrictions specified in /etc/porttime. # PORTTIME_CHECKS_ENAB yes # # Enable setting of ulimit, umask, and niceness from passwd gecos field. # QUOTAS_ENAB yes # # Enable "syslog" logging of su activity - in addition to sulog file logging. # SYSLOG_SG_ENAB does the same for newgrp and sg. # SYSLOG_SU_ENAB yes SYSLOG_SG_ENAB yes # # If defined, either full pathname of a file containing device names or # a ":" delimited list of device names. Root logins will be allowed only # upon these devices. # CONSOLE /etc/securetty #CONSOLE console:tty01:tty02:tty03:tty04 # # If defined, all su activity is logged to this file. # SULOG_FILE /var/log/sulog # # If defined, ":" delimited list of "message of the day" files to # be displayed upon login. # MOTD_FILE /etc/motd #MOTD_FILE /etc/motd:/usr/lib/news/news-motd # # If defined, this file will be output before each login prompt. # #ISSUE_FILE /etc/issue # # If defined, file which maps tty line to TERM environment parameter. # Each line of the file is in a format something like "vt100 tty01". # #TTYTYPE_FILE /etc/ttytype # # If defined, login failures will be logged here in a utmp format. # last, when invoked as lastb, will read /var/log/btmp, so... # FTMP_FILE /var/log/btmp # # If defined, name of file whose presence which will inhibit non-root # logins. The contents of this file should be a message indicating # why logins are inhibited. # #NOLOGINS_FILE /etc/nologin # # If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the # command is "-su". If not defined, then "ps" would display the # name of the shell actually being run, e.g. something like "-sh". # SU_NAME su # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # # If defined, the presence of this value in an /etc/passwd "shell" field will # disable logins for that user, although "su" will still be allowed. # # XXX this does not seem to be implemented yet... --marekm # no, it was implemented but I ripped it out ;-) -- jfh #NOLOGIN_STR NOLOGIN # # If defined, either a TZ environment parameter spec or the # fully-rooted pathname of a file containing such a spec. # #ENV_TZ TZ=CST6CDT #ENV_TZ /etc/tzname # # If defined, an HZ environment parameter spec. # # for Linux/x86 ENV_HZ HZ=100 # For Linux/Alpha... #ENV_HZ HZ=1024 # # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a "write" program which is "setgid" to a special group # which owns the terminals, define TTYGROUP to the group number and # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign # TTYPERM to either 622 or 600. # TTYGROUP tty #TTYPERM 0600 # # Login configuration initializations: # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). # UMASK Default "umask" value. # ULIMIT Default "ulimit" value. # # The ERASECHAR and KILLCHAR are used only on System V machines. # The ULIMIT is used only if the system supports it. # (now it works with setrlimit too; ulimit is in 512-byte units) # # Prefix these values with "0" to get octal, "0x" to get hexadecimal. # ERASECHAR 0177 KILLCHAR 025 UMASK 022 #ULIMIT 2097152 # # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # If "yes", the user must be listed as a member of the first gid 0 group # in /etc/group (called "root" on most Linux systems) to be able to "su" # to uid 0 accounts. If the group doesn't exist or is empty, no one # will be able to "su" to uid 0. # ################################################ # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! SU_WHEEL_ONLY no #^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ################################################ # # If compiled with cracklib support, where are the dictionaries # #CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # # Min/max values for automatic gid selection in groupadd # GID_MIN 100 GID_MAX 60000 # # Max number of login retries if password is bad # LOGIN_RETRIES 5 # # Max time in seconds for login # LOGIN_TIMEOUT 60 # # Maximum number of attempts to change password if rejected (too easy) # PASS_CHANGE_TRIES 5 # # Warn about weak passwords (but still allow them) if you are root. # PASS_ALWAYS_WARN yes # # Number of significant characters in the password for crypt(). # Default is 8, don't change unless your crypt() is better. # Ignored if MD5_CRYPT_ENAB set to "yes". # #PASS_MAX_LEN 8 # # Require password before chfn/chsh can make any changes. # CHFN_AUTH yes # # Which fields may be changed by regular users using chfn - use # any combination of letters "frwh" (full name, room number, work # phone, home phone). If not defined, no changes are allowed. # For backward compatibility, "yes" = "rwh" and "no" = "frwh". # CHFN_RESTRICT rwh # # Password prompt (%s will be replaced by user name). # # XXX - it doesn't work correctly yet, for now leave it commented out # to use the default which is just "Password: ". LOGIN_STRING "] Password: " # # Only works if compiled with MD5_CRYPT defined: # If set to "yes", new passwords will be encrypted using the MD5-based # algorithm compatible with the one used by recent releases of FreeBSD. # It supports passwords of unlimited length and longer salt strings. # Set to "no" if you need to copy encrypted passwords to other systems # which don't understand the new algorithm. Default is "no". # MD5_CRYPT_ENAB no # # List of groups to add to the user's supplementary group set # when logging in on the console (as determined by the CONSOLE # setting). Default is none. # # Use with caution - it is possible for users to gain permanent # access to these groups, even when not logged in on the console. # How to do it is left as an exercise for the reader... # CONSOLE_GROUPS floppy:audio:cdrom # # Should login be allowed if we can't cd to the home directory? # Default in no. # DEFAULT_HOME yes # # If this file exists and is readable, login environment will be # read from it. Every line should be in the form name=value. # ENVIRON_FILE /etc/environment # # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local # # If defined, either full pathname of a file containing device names or # a ":" delimited list of device names. No password is required to log in # as a non-root user on these devices. # #NO_PASSWORD_CONSOLE tty1:tty2:tty3:tty4:tty5:tty6 # # When prompting for password without echo, getpass() can optionally # display a random number (in the range 1 to GETPASS_ASTERISKS) of '*' # characters for each character typed. This feature is designed to # confuse people looking over your shoulder when you enter a password :-). # Also, the new getpass() accepts both Backspace (8) and Delete (127) # keys to delete previous character (to cope with different terminal # types), Control-U to delete all characters, and beeps when there are # no more characters to delete, or too many characters entered. # # Setting GETPASS_ASTERISKS to 1 results in more traditional behaviour - # exactly one '*' displayed for each character typed. # # Setting GETPASS_ASTERISKS to 0 disables the '*' characters (Backspace, # Delete, Control-U and beep continue to work as described above). # # Setting GETPASS_ASTERISKS to -1 reverts to the traditional getpass() # without any new features. This is the default. # GETPASS_ASTERISKS 1 # # Enable setting of the umask group bits to be the same as owner bits # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is # the same as gid, and username is the same as the primary group name. # # This also enables userdel to remove user groups if no members exist. # #USERGROUPS_ENAB yes bash-2.05a$ [/code:1:930ccef4b1]
  • Het wordt nu wel heel erg gissen, maar.... Wordt login.defs nog wel gebruikt voor su. Zou het kunnen dat deze authorisatie door PAM wordt afgehandeld in moderne systemen? Op mijn debian systeem bestaat /etc/pam.d/su. Ik zou niet weten of een barebones LFS systeem al met PAM werkt. Je kunt het in ieder geval even testen door jezelf aan group wheel toe te voegen en dan zien of su werkt.
  • [quote:8168507b05="robian"]Het wordt nu wel heel erg gissen, maar.... Wordt login.defs nog wel gebruikt voor su. Zou het kunnen dat deze authorisatie door PAM wordt afgehandeld in moderne systemen? Op mijn debian systeem bestaat /etc/pam.d/su. Ik zou niet weten of een barebones LFS systeem al met PAM werkt. Je kunt het in ieder geval even testen door jezelf aan group wheel toe te voegen en dan zien of su werkt.[/quote:8168507b05] Dit is volgens mij wel het geval bij Gentoo
  • Nope, heb er geen PAM op staan. Eerst wel, maar toen er te veel probelemen mee had heb ik het er met harde hand af gewerkt. Sinds toen heb ik een aantal van dit soort probs gehad, ik dacht echter dat het nu helemaal goed zat maar niet dus ;-)
  • Heb nu immiddels ook GLIBC maar opnieuw gebakken maar dat maakt ook niks uit :-( Is er echt niemand die raad weet?
  • Laatste poging voordat ik opgeef. Hoe zit het met de file-permissies van su. Mijn Debian systeem: [code:1:733173569b] $ ls -l `which su` -rwsr-xr-x 1 root root 22904 2003-04-26 21:50 /bin/su [/code:1:733173569b]
  • Goh, niet zo gauw opgeven ;-) Ik ben er trouwens uit: na vanalles opnieuw gecompiled te hebben bleek shadow de rotte (root-te) appel te zijn. Nu kan ik weer gezellig root spelen. Bedankt iedereen!

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.