Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 513
  • Last Modified:

su, suauth not working

I have a file /etc/suauth containing: root:myuser:NOPASS. Permissions are 640. This works fine on Slackware for letting myuser account become root w/o asking for a password, but Arch requires me to enter the password anyway, as if it is completely ignoring /etc/suauth.

What do I need to do to get suauth working on Arch?
0
jmarkfoley
Asked:
jmarkfoley
  • 7
  • 4
1 Solution
 
Duncan RoeSoftware DeveloperCommented:
You need to install the shadow utilities on the Arch system. That's where suauth comes from. On my Slackware system, the package is shadow-4.1.5.1-i486-2. I expect Arch will have something similar, else you will need to install from source.
0
 
Duncan RoeSoftware DeveloperCommented:
Slackware distributes a package built from ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow
Likely you need to get that, since Arch must have built a different version - check their source iso. I got the url above from the Slackware source iso.
0
 
Duncan RoeSoftware DeveloperCommented:
(The shadow package also includes su)
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
jmarkfoleyAuthor Commented:
Must be something else. shadow-4.1.5.1 was already installed. The su man page says, "This version of su uses PAM for authentication, account and session management.   Some  configuration options  found  in  other su implementations, such as support of a wheel group, have to be configured via PAM."

There is a file, /etc/pam.d/su which contains:

auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_unix.so

Is this meaningful to anyone or am I barking up the wrong tree?
0
 
Duncan RoeSoftware DeveloperCommented:
Does man suauth work for you?
0
 
Duncan RoeSoftware DeveloperCommented:
Arch distributes shadow 4.1.5.1-7. The -7 means that it's had 7 revisions since shadow_4.1.5.1.orig.tar.gz and likely bears little resemblance to it now.
shadow_4.1.5.1.orig.tar.gz does have support for suauth, but no support for PAM. It's your choice which one you run with.
The URL I posted before doesn't seem to work any more but this one does:  ftp://ftp.debian.org/debian/pool/main/s/shadow/shadow_4.1.5.1.orig.tar.gz
0
 
jmarkfoleyAuthor Commented:
I have temporarily compounded my troubles by apparently trashing the boot filesystem. I'll rebuild and revisit this issue. Meanwhile, yes, I can do `man suauth`.

> Arch distributes shadow 4.1.5.1-7. The -7 means that it's had 7 revisions since
> shadow_4.1.5.1.orig.tar.gz and likely bears little resemblance to it now.

Hmmm, that seems a bit odd. Normally, the less significant the revision digit the more trivial the modifications. I would think if the dash-7 version "bares little resemblance" to the orig version it should be called 4.2 or 5.0 ...

Anyway, I'm looking for the simplest, quickest solution. If I have to use pam, so be it. The system log seems to issue pam messages when I try to do su. I've tried adding myuser to the wheel group and uncommenting the line

auth           sufficient      pam_wheel.so trust use_uid

in /etc/pam.d/su, but so far that's not working. I'm finding it a bit irritating that old, well established features get changed as linux "improves" without much info on how to re-implement the new stuff.

Any help moving forward is greatly appreciated.
0
 
Duncan RoeSoftware DeveloperCommented:
You have to understand how revisions work. All the digits between dots are the package revision. This is the province of the package developer and / or maintainers and no-one else.
Distributors who modify packages tag them with a number after a hyphen. I've seen that number get to 200. shadow 4.1.5.1-7 has introduced PAM, not an insignificant change. Since Arch left the suauth man page in the package, perhaps they broke the functionality by mistake. You should raise a bug report to either fix it or remove the man page.
That will only help you in the short term if Arch are especially responsive. Perhaps they are, I don't know.
Otherwise: you've changed distributors, so you must expect things to be different. Scour the man pages to see if they mention any way the new system can give you the facilities you want. You've been in the game long enough to remember when wheel did anything special, so I'm sure you can do that. How did you find suauth by the way? - it's not in my man su
0
 
jmarkfoleyAuthor Commented:
I'm back! Sorry for the delay. The Arch raspberryPi implementation proved too prone to corruption of the SD card to be useable. There was no fsck of the filesystem at boot time and there seemed to be other issues as well. I had to reflash half a dozen times or more. So, I reloaded with Debian (Raspian). This has proven much more stable and I have not had to reflash the OS at all since. It does do fsck at boot time which I think helps a lot to clean things up from a graceless shutdown (very common with RaspberryPis).

Back to the problem, now with Debian. Now, I DO NOT have man suauth. man su makes no mention of /etc/suauth. So, I think my system is now configured more like what you are used to.

So, the original, hopefully simple question remains: is there is or is there isn't a way to do:

su -

without having to enter the password each time? I don't care if the tool is PAM or whatever, I'd just like to know if/how I can do this. I can't seem to figure it out on my own.
0
 
Duncan RoeSoftware DeveloperCommented:
Not as far as I know. Except, you could try rebuilding standard shadow-utils to get suauth back
0
 
jmarkfoleyAuthor Commented:
Thanks -- I'll move on!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now