Solved

su, suauth not working

Posted on 2013-11-03
11
489 Views
Last Modified: 2013-11-29
I have a file /etc/suauth containing: root:myuser:NOPASS. Permissions are 640. This works fine on Slackware for letting myuser account become root w/o asking for a password, but Arch requires me to enter the password anyway, as if it is completely ignoring /etc/suauth.

What do I need to do to get suauth working on Arch?
0
Comment
Question by:jmarkfoley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620692
You need to install the shadow utilities on the Arch system. That's where suauth comes from. On my Slackware system, the package is shadow-4.1.5.1-i486-2. I expect Arch will have something similar, else you will need to install from source.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620702
Slackware distributes a package built from ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow
Likely you need to get that, since Arch must have built a different version - check their source iso. I got the url above from the Slackware source iso.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620703
(The shadow package also includes su)
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 
LVL 1

Author Comment

by:jmarkfoley
ID: 39620727
Must be something else. shadow-4.1.5.1 was already installed. The su man page says, "This version of su uses PAM for authentication, account and session management.   Some  configuration options  found  in  other su implementations, such as support of a wheel group, have to be configured via PAM."

There is a file, /etc/pam.d/su which contains:

auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_unix.so

Is this meaningful to anyone or am I barking up the wrong tree?
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620787
Does man suauth work for you?
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620801
Arch distributes shadow 4.1.5.1-7. The -7 means that it's had 7 revisions since shadow_4.1.5.1.orig.tar.gz and likely bears little resemblance to it now.
shadow_4.1.5.1.orig.tar.gz does have support for suauth, but no support for PAM. It's your choice which one you run with.
The URL I posted before doesn't seem to work any more but this one does:  ftp://ftp.debian.org/debian/pool/main/s/shadow/shadow_4.1.5.1.orig.tar.gz
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39622747
I have temporarily compounded my troubles by apparently trashing the boot filesystem. I'll rebuild and revisit this issue. Meanwhile, yes, I can do `man suauth`.

> Arch distributes shadow 4.1.5.1-7. The -7 means that it's had 7 revisions since
> shadow_4.1.5.1.orig.tar.gz and likely bears little resemblance to it now.

Hmmm, that seems a bit odd. Normally, the less significant the revision digit the more trivial the modifications. I would think if the dash-7 version "bares little resemblance" to the orig version it should be called 4.2 or 5.0 ...

Anyway, I'm looking for the simplest, quickest solution. If I have to use pam, so be it. The system log seems to issue pam messages when I try to do su. I've tried adding myuser to the wheel group and uncommenting the line

auth           sufficient      pam_wheel.so trust use_uid

in /etc/pam.d/su, but so far that's not working. I'm finding it a bit irritating that old, well established features get changed as linux "improves" without much info on how to re-implement the new stuff.

Any help moving forward is greatly appreciated.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39622959
You have to understand how revisions work. All the digits between dots are the package revision. This is the province of the package developer and / or maintainers and no-one else.
Distributors who modify packages tag them with a number after a hyphen. I've seen that number get to 200. shadow 4.1.5.1-7 has introduced PAM, not an insignificant change. Since Arch left the suauth man page in the package, perhaps they broke the functionality by mistake. You should raise a bug report to either fix it or remove the man page.
That will only help you in the short term if Arch are especially responsive. Perhaps they are, I don't know.
Otherwise: you've changed distributors, so you must expect things to be different. Scour the man pages to see if they mention any way the new system can give you the facilities you want. You've been in the game long enough to remember when wheel did anything special, so I'm sure you can do that. How did you find suauth by the way? - it's not in my man su
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39670881
I'm back! Sorry for the delay. The Arch raspberryPi implementation proved too prone to corruption of the SD card to be useable. There was no fsck of the filesystem at boot time and there seemed to be other issues as well. I had to reflash half a dozen times or more. So, I reloaded with Debian (Raspian). This has proven much more stable and I have not had to reflash the OS at all since. It does do fsck at boot time which I think helps a lot to clean things up from a graceless shutdown (very common with RaspberryPis).

Back to the problem, now with Debian. Now, I DO NOT have man suauth. man su makes no mention of /etc/suauth. So, I think my system is now configured more like what you are used to.

So, the original, hopefully simple question remains: is there is or is there isn't a way to do:

su -

without having to enter the password each time? I don't care if the tool is PAM or whatever, I'd just like to know if/how I can do this. I can't seem to figure it out on my own.
0
 
LVL 35

Accepted Solution

by:
Duncan Roe earned 500 total points
ID: 39670906
Not as far as I know. Except, you could try rebuilding standard shadow-utils to get suauth back
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 39685521
Thanks -- I'll move on!
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question