I am encountering an odd problem with su. Up until quite recently I was able to connect to one of my servers (CentOS-5.2) via ssh as an ordinary user and then, from the shell, perform an $ su -l to obtain root access. Now when I try to do this I see the following:
$ su -l Password: su: incorrect password
If, instead of I ssh to this machine as the root user ($ ssh -l root host) and enter exactly the same password from the same keyboard then I log in successfully as root. I have made no conscious changes to the target system configuration files and I know that the first method, logging in as a normal user and then su -l to root, was working just a few days ago. Review of the man and info pages does not enlighten me as to what might be wrong. The log file says this:
Jan 14 12:00:22 inet01 sshd[15433]: Accepted password for myuser from x.x.x.x port 53458 ssh2 Jan 14 12:00:22 inet01 sshd[15433]: pam_unix(sshd:session): session opened for user myuser by (uid=0) Jan 14 12:00:32 inet01 su: pam_unix(su-l:auth): authentication failure; logname=myuser uid=500 euid=500 tty=pts/8 ruser=myuser rhost= user=root
Any ideas as to what might be happening here and how I might fix it?
Regards,
On Wed Jan 14 17:16:01 UTC 2009, nate centos at linuxpowered.net wrote:
It's a long shot but check that /bin/su is setuid ?
From a 5.1 system:
-rwsr-xr-x 1 root root 24060 Mar 21 2007 /bin/su
This is what I have on that host:
# ll /bin/su -rwxr-xr-x 1 root root 24120 May 24 2008 /bin/su
su -l runs ok. It prompts for a password, but it invariably fails saying that the wrong password has been entered.
I noticed that the suid mode was missing and set it with chmod u+s /usr/bin/su. Now the permissions are:
$ ll $(which su) -rwsr-xr-x 1 root root 24120 May 24 2008 /bin/su
And now su -l works for ordinary users. Thank you very much.
I am certain that I have not been changing file modes in /usr/bin, ever. Does anyone have any idea how this change could occur? Where would a file mode change be logged, if at all?
Thanks.
James B. Byrne wrote:
I noticed that the suid mode was missing and set it with chmod u+s /usr/bin/su. Now the permissions are:
$ ll $(which su) -rwsr-xr-x 1 root root 24120 May 24 2008 /bin/su
And now su -l works for ordinary users. Thank you very much.
I am certain that I have not been changing file modes in /usr/bin, ever. Does anyone have any idea how this change could occur? Where would a file mode change be logged, if at all?
I'm not aware of anything out side of host intrusion detection systems that would log something like a file mode change, Not sure what might of changed it, short of someone mistyping a command perhaps a find command with -exec chmod run as root from the wrong directory or a chmod -R or something.
nate
James B. Byrne wrote on Wed, 14 Jan 2009 16:11:52 -0500 (EST):
Does anyone have any idea how this change could occur?
There are some security tools that could be configured to reset SUID bits on files in certain paths with their default templates.
Kai
-
James B. Byrne -
Kai Schaetzl -
nate