Does su read /etc/suauth under gentoo?

Wes · n00b Joined: 14 Jun 2002 Posts: 28

I have no trouble doing an "su root", but when I tried to change things around by creating an /etc/suauth file, it made no difference to the behavior of su. In particular, I'm still challenged for a password even when (for user "foo") I put this line in /etc/suauth:

root:foo:NOPASS

Even doing this made no difference to anything.

root:foo:DENY

It looks as if, contrary to the man page, su does not check /etc/suath.

Does anybody know anything about this? Does gentoo, perhaps, compile su in a way that blocks the behavior described in the man page for suauth?

Thanks in advance for any info.

Wes

klieber · Posted: Wed Jun 26, 2002 11:46 pm Post subject:

suauth was one thing we couldn't get working on the forums server. Just a SWAG, but have you tried placing the suauth file in either /etc/su/suauth or /etc/suauth/suauth? Most of the other daemons have their config files stored within a subdir in /etc, so maybe that's what Gentoo is looking for. (again, that's a SWAG, so don't expect wonders

)

Either way, I'd file a bug report on it (after first checking to see if one has already been filed)

--kurt
_________________
The problem with political jokes is that they get elected

Wes · n00b Joined: 14 Jun 2002 Posts: 28

Ok, I tried creating subdirectories - /etc/su/, /etc/suauth/, /etc/su.d/ - and putting suauth there. It didn't work. As far as I can see, this su simply doesn't read suauth. Maybe that behavior is switched off.

Thanks for the suggestion!

trippeh · n00b Joined: 29 Jun 2002 Posts: 5 Location: Norway, Oslo

It's controlled through PAM, not suauth.
_________________
André Tomt aka trippeh

Wes · n00b Joined: 14 Jun 2002 Posts: 28

Thanks for the info. So the answer is no, and I need to look into PAM instead.

I've always found PAM rather intimidating. Would you happen to know off what the "su" file in /etc/pam.d should look like if I want a certain user to be able to su to root without entering a password?

Nitro · Posted: Sun Jun 30, 2002 6:13 am Post subject: Tada!

I did some research, and if you compile the shadow package (the package that supplies su and everything for /etc/passwd and /etc/group) with pam, you don't get suauth. I could hack the configure script and change that, but the developers did it for a reason.

Anywho, the solution is in PAM as many of you have already determined. The following works for me, and works as expected. I tested all exceptions I could think of, but then again it is 1:00 in the morning and I might have overlooked something.

And here it is:

Edit /etc/pam.d/su, after
Code:

auth sufficient /lib/security/pam_rootok.so
add
Code:

auth sufficient /lib/security/pam_listfile.so item=ruser \
onerr=fail sense=allow file=/etc/security/su-nopass
Create a /etc/security/su-nopass file, and it put one username per line. Only put users that you want to have access to root without a password.
Double check the permissions on the file, we don't want it world writable, and world readable is a matter of personal preference.

Basically, the above says that any user in the su-nopass file is allowed to su without entering a password.

You could move the pam_wheel module before the pam_listfile line to require the user to belong to the wheel group. Again, this is personal prefernce based on security needs.

Hope it works, tell me what you think. Tell me if there are any flaws.
_________________
- Kyle Manna

Please, please SEARCH before posting.

There are three kinds of people in the world: those who can count, and those who can't.

Wes · n00b Joined: 14 Jun 2002 Posts: 28

Thanks so much. It worked perfectly, and exactly as advertised!

WladyX · Guru Joined: 25 Nov 2004 Posts: 503 Location: Romania

Thanks very much, helped me also

_________________
We are not alone.