Guest jackany Posted October 12, 2006 Report Share Posted October 12, 2006 Hi all! After a long time only reading in this forum, now it's time for my first post :-) I just installed Mandriva 2007 official and configured msec via the control center gui, not to allow "su" but for members of @wheel. As I did in every previous version... But with 2007 the rule does not seem to work! Every user can get root with doing "su" and providing root password!? I checked /etc/security/msec/level.local and the rule is definitely there: enable_pam_wheel_for_su (yes) All the custom settings in perm.local are doing fine, by the way. If I try other rules in level.local they are working too. Allowing "su" only for @wheel members does not! Is there any other config that overrides this one? I do not have a clue, yet... Quote Link to comment Share on other sites More sharing options...
tyme Posted October 12, 2006 Report Share Posted October 12, 2006 you might want to check if all the users are in the wheel group...they may be added to that group by default. check /etc/groups or run the command: groups as the user(s). Quote Link to comment Share on other sites More sharing options...
Guest jackany Posted October 12, 2006 Report Share Posted October 12, 2006 you might want to check if all the users are in the wheel group... I re-checked that, there are users in the wheel group and others not. Exactly as I configured them. But the users not in @wheel have the same possibility to get root via "su", very strange in my opinion... Or my lack of knowledge :unsure: By the way, I first did a minimal install with SSH-Server, then later installed X with KDE, Samba Server, Nomachines free NX-Server and VMware-Server. Same thing happens with a fresh minimal install of 2007 without X and any gui, msec configured via config files in /etc/security/msec. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted October 13, 2006 Report Share Posted October 13, 2006 It's normal that any user can gain access to "su". I found on Mandriva, if I added my users to the wheel group, I could just type su, and then find that it didn't ask for the password anymore. Previously it asked for the password. Incidently, if the user doesn't know the password for the "root" account, then they can't get in. The other alternative, is to use sudoers to block access to su. Then they won't be able to run it, unless the user is allowed to. Quote Link to comment Share on other sites More sharing options...
Guest jackany Posted October 13, 2006 Report Share Posted October 13, 2006 ...if I added my users to the wheel group, I could just type su, and then find that it didn't ask for the password anymore. Hmm, what msec level are you running? I only use #4 (higher security). There you have to submit a password to su, even if you are member of @wheel. But if you fire up X and start the configuration of msec with the MCC (MandrivaControlCenter), then there definitely is a rule that you can enable that promises: only member of the group wheel are allowed to su. The rule is created ( look at /etc/security/msec/level.local ) but not effective. I am pretty sure this feature had worked in previous Mandrivas. The other alternative, is to use sudoers to block access to su. Then they won't be able to run it, unless the user is allowed to. I did it by hand: chgrp wheel /bin/su chmod o-xr /bin/su That's working pretty fine... Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted October 13, 2006 Report Share Posted October 13, 2006 Nice one :P I'm using standard security, is probably why. Quote Link to comment Share on other sites More sharing options...
Guest jackany Posted October 15, 2006 Report Share Posted October 15, 2006 Ahhh, and this may be the ultimate answer to my Problem and the one that allows root login without password: There was an update to PAM so that one should take a look at "/etc/pam.d/su" Take a closer look at the comments... ;) #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session optional pam_xauth.so session include system-auth Quote Link to comment Share on other sites More sharing options...
Guest jackany Posted October 24, 2006 Report Share Posted October 24, 2006 And if all the manual updating of configs still doesn't work, get this update from Mandriva: _______________________________________________________________________ Mandriva Linux Advisory MDKA-2006:045 http://www.mandriva.com/security/ _______________________________________________________________________ Package : coreutils Date : October 23, 2006 Affected: 2007.0 _______________________________________________________________________ Problem Description: The coreutils package lacked several features due to a build deficiency. As a result, the su program was not linked against the PAM library, making it impossible for su to make use of advanced authentication features that rely on the PAM library. As well, the cp system utility did not keep extended attributes and ACLs in file copies. This has been corrected in the updated packages. _______________________________________________________________________ References: http://qa.mandriva.com/show_bug.cgi?id=26353 _______________________________________________________________________ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.