Solved

su, suauth not working

Posted on 2013-11-03
11
458 Views
Last Modified: 2013-11-29
I have a file /etc/suauth containing: root:myuser:NOPASS. Permissions are 640. This works fine on Slackware for letting myuser account become root w/o asking for a password, but Arch requires me to enter the password anyway, as if it is completely ignoring /etc/suauth.

What do I need to do to get suauth working on Arch?
0
Comment
Question by:jmarkfoley
  • 7
  • 4
11 Comments
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39620692
You need to install the shadow utilities on the Arch system. That's where suauth comes from. On my Slackware system, the package is shadow-4.1.5.1-i486-2. I expect Arch will have something similar, else you will need to install from source.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39620702
Slackware distributes a package built from ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow
Likely you need to get that, since Arch must have built a different version - check their source iso. I got the url above from the Slackware source iso.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39620703
(The shadow package also includes su)
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39620727
Must be something else. shadow-4.1.5.1 was already installed. The su man page says, "This version of su uses PAM for authentication, account and session management.   Some  configuration options  found  in  other su implementations, such as support of a wheel group, have to be configured via PAM."

There is a file, /etc/pam.d/su which contains:

auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_unix.so

Is this meaningful to anyone or am I barking up the wrong tree?
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39620787
Does man suauth work for you?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39620801
Arch distributes shadow 4.1.5.1-7. The -7 means that it's had 7 revisions since shadow_4.1.5.1.orig.tar.gz and likely bears little resemblance to it now.
shadow_4.1.5.1.orig.tar.gz does have support for suauth, but no support for PAM. It's your choice which one you run with.
The URL I posted before doesn't seem to work any more but this one does:  ftp://ftp.debian.org/debian/pool/main/s/shadow/shadow_4.1.5.1.orig.tar.gz
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39622747
I have temporarily compounded my troubles by apparently trashing the boot filesystem. I'll rebuild and revisit this issue. Meanwhile, yes, I can do `man suauth`.

> Arch distributes shadow 4.1.5.1-7. The -7 means that it's had 7 revisions since
> shadow_4.1.5.1.orig.tar.gz and likely bears little resemblance to it now.

Hmmm, that seems a bit odd. Normally, the less significant the revision digit the more trivial the modifications. I would think if the dash-7 version "bares little resemblance" to the orig version it should be called 4.2 or 5.0 ...

Anyway, I'm looking for the simplest, quickest solution. If I have to use pam, so be it. The system log seems to issue pam messages when I try to do su. I've tried adding myuser to the wheel group and uncommenting the line

auth           sufficient      pam_wheel.so trust use_uid

in /etc/pam.d/su, but so far that's not working. I'm finding it a bit irritating that old, well established features get changed as linux "improves" without much info on how to re-implement the new stuff.

Any help moving forward is greatly appreciated.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39622959
You have to understand how revisions work. All the digits between dots are the package revision. This is the province of the package developer and / or maintainers and no-one else.
Distributors who modify packages tag them with a number after a hyphen. I've seen that number get to 200. shadow 4.1.5.1-7 has introduced PAM, not an insignificant change. Since Arch left the suauth man page in the package, perhaps they broke the functionality by mistake. You should raise a bug report to either fix it or remove the man page.
That will only help you in the short term if Arch are especially responsive. Perhaps they are, I don't know.
Otherwise: you've changed distributors, so you must expect things to be different. Scour the man pages to see if they mention any way the new system can give you the facilities you want. You've been in the game long enough to remember when wheel did anything special, so I'm sure you can do that. How did you find suauth by the way? - it's not in my man su
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39670881
I'm back! Sorry for the delay. The Arch raspberryPi implementation proved too prone to corruption of the SD card to be useable. There was no fsck of the filesystem at boot time and there seemed to be other issues as well. I had to reflash half a dozen times or more. So, I reloaded with Debian (Raspian). This has proven much more stable and I have not had to reflash the OS at all since. It does do fsck at boot time which I think helps a lot to clean things up from a graceless shutdown (very common with RaspberryPis).

Back to the problem, now with Debian. Now, I DO NOT have man suauth. man su makes no mention of /etc/suauth. So, I think my system is now configured more like what you are used to.

So, the original, hopefully simple question remains: is there is or is there isn't a way to do:

su -

without having to enter the password each time? I don't care if the tool is PAM or whatever, I'd just like to know if/how I can do this. I can't seem to figure it out on my own.
0
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 500 total points
ID: 39670906
Not as far as I know. Except, you could try rebuilding standard shadow-utils to get suauth back
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 39685521
Thanks -- I'll move on!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now