Help - Search - Members - Calendar
Full Version: su forbidden but still working! [solved]
MandrivaUsers.org > Advanced Topics > Security
jackany
Oct 12 2006, 04:07 PM
Hi all! After a long time only reading in this forum, now it's time for my first post :-)

I just installed Mandriva 2007 official and configured msec via the control center gui, not to allow "su" but for members of @wheel.
As I did in every previous version...

But with 2007 the rule does not seem to work! Every user can get root with doing "su" and providing root password!?

I checked /etc/security/msec/level.local and the rule is definitely there:

CODE
enable_pam_wheel_for_su (yes)



All the custom settings in perm.local are doing fine, by the way.
If I try other rules in level.local they are working too.
Allowing "su" only for @wheel members does not!

Is there any other config that overrides this one? I do not have a clue, yet... wall.gif
tyme
Oct 12 2006, 04:23 PM
you might want to check if all the users are in the wheel group...they may be added to that group by default. check /etc/groups or run the command:
CODE
groups
as the user(s).
jackany
Oct 12 2006, 04:48 PM
QUOTE (tyme @ Oct 12 2006, 06:23 PM) *
you might want to check if all the users are in the wheel group...


I re-checked that, there are users in the wheel group and others not.
Exactly as I configured them.

But the users not in @wheel have the same possibility to get root via "su", very strange in my opinion...
Or my lack of knowledge unsure.gif

By the way, I first did a minimal install with SSH-Server, then later installed X with KDE, Samba Server, Nomachines free NX-Server and VMware-Server.

Same thing happens with a fresh minimal install of 2007 without X and any gui, msec configured via config files in /etc/security/msec.
ianw1974
Oct 13 2006, 06:09 AM
It's normal that any user can gain access to "su". I found on Mandriva, if I added my users to the wheel group, I could just type su, and then find that it didn't ask for the password anymore. Previously it asked for the password.

Incidently, if the user doesn't know the password for the "root" account, then they can't get in.

The other alternative, is to use sudoers to block access to su. Then they won't be able to run it, unless the user is allowed to.
jackany
Oct 13 2006, 10:07 AM
QUOTE (ianw1974 @ Oct 13 2006, 08:09 AM) *
...if I added my users to the wheel group, I could just type su, and then find that it didn't ask for the password anymore.

Hmm, what msec level are you running? I only use #4 (higher security). There you have to submit a password to su, even if you are member of @wheel.

But if you fire up X and start the configuration of msec with the MCC (MandrivaControlCenter), then there definitely is a rule that you can enable that promises: only member of the group wheel are allowed to su.
The rule is created ( look at /etc/security/msec/level.local ) but not effective.

I am pretty sure this feature had worked in previous Mandrivas.

QUOTE (ianw1974 @ Oct 13 2006, 08:09 AM) *
The other alternative, is to use sudoers to block access to su. Then they won't be able to run it, unless the user is allowed to.

I did it by hand:
CODE
chgrp wheel /bin/su

CODE
chmod o-xr /bin/su


That's working pretty fine...
ianw1974
Oct 13 2006, 01:13 PM
Nice one tongue.gif

I'm using standard security, is probably why.
jackany
Oct 15 2006, 12:53 PM
Ahhh, and this may be the ultimate answer to my Problem and the one that allows root login without password:

There was an update to PAM so that one should take a look at "/etc/pam.d/su"
Take a closer look at the comments... wink.gif

CODE
#%PAM-1.0
auth       sufficient   pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient   pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     pam_wheel.so use_uid
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_xauth.so
session    include      system-auth


banana.gif
jackany
Oct 24 2006, 11:27 AM
And if all the manual updating of configs still doesn't work, get this update from Mandriva:

wall.gif

QUOTE
_______________________________________________________________________

Mandriva Linux Advisory MDKA-2006:045
http://www.mandriva.com/security/
_______________________________________________________________________

Package : coreutils
Date : October 23, 2006
Affected: 2007.0
_______________________________________________________________________

Problem Description:

The coreutils package lacked several features due to a build
deficiency. As a result, the su program was not linked against the PAM
library, making it impossible for su to make use of advanced
authentication features that rely on the PAM library. As well, the cp
system utility did not keep extended attributes and ACLs in file
copies.

This has been corrected in the updated packages.
_______________________________________________________________________

References:

http://qa.mandriva.com/show_bug.cgi?id=26353
_______________________________________________________________________
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.