Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

su, suauth not working

Posted on 2013-11-03
11
Medium Priority
?
495 Views
Last Modified: 2013-11-29
I have a file /etc/suauth containing: root:myuser:NOPASS. Permissions are 640. This works fine on Slackware for letting myuser account become root w/o asking for a password, but Arch requires me to enter the password anyway, as if it is completely ignoring /etc/suauth.

What do I need to do to get suauth working on Arch?
0
Comment
Question by:jmarkfoley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620692
You need to install the shadow utilities on the Arch system. That's where suauth comes from. On my Slackware system, the package is shadow-4.1.5.1-i486-2. I expect Arch will have something similar, else you will need to install from source.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620702
Slackware distributes a package built from ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow
Likely you need to get that, since Arch must have built a different version - check their source iso. I got the url above from the Slackware source iso.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620703
(The shadow package also includes su)
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 1

Author Comment

by:jmarkfoley
ID: 39620727
Must be something else. shadow-4.1.5.1 was already installed. The su man page says, "This version of su uses PAM for authentication, account and session management.   Some  configuration options  found  in  other su implementations, such as support of a wheel group, have to be configured via PAM."

There is a file, /etc/pam.d/su which contains:

auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_unix.so

Is this meaningful to anyone or am I barking up the wrong tree?
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620787
Does man suauth work for you?
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39620801
Arch distributes shadow 4.1.5.1-7. The -7 means that it's had 7 revisions since shadow_4.1.5.1.orig.tar.gz and likely bears little resemblance to it now.
shadow_4.1.5.1.orig.tar.gz does have support for suauth, but no support for PAM. It's your choice which one you run with.
The URL I posted before doesn't seem to work any more but this one does:  ftp://ftp.debian.org/debian/pool/main/s/shadow/shadow_4.1.5.1.orig.tar.gz
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39622747
I have temporarily compounded my troubles by apparently trashing the boot filesystem. I'll rebuild and revisit this issue. Meanwhile, yes, I can do `man suauth`.

> Arch distributes shadow 4.1.5.1-7. The -7 means that it's had 7 revisions since
> shadow_4.1.5.1.orig.tar.gz and likely bears little resemblance to it now.

Hmmm, that seems a bit odd. Normally, the less significant the revision digit the more trivial the modifications. I would think if the dash-7 version "bares little resemblance" to the orig version it should be called 4.2 or 5.0 ...

Anyway, I'm looking for the simplest, quickest solution. If I have to use pam, so be it. The system log seems to issue pam messages when I try to do su. I've tried adding myuser to the wheel group and uncommenting the line

auth           sufficient      pam_wheel.so trust use_uid

in /etc/pam.d/su, but so far that's not working. I'm finding it a bit irritating that old, well established features get changed as linux "improves" without much info on how to re-implement the new stuff.

Any help moving forward is greatly appreciated.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39622959
You have to understand how revisions work. All the digits between dots are the package revision. This is the province of the package developer and / or maintainers and no-one else.
Distributors who modify packages tag them with a number after a hyphen. I've seen that number get to 200. shadow 4.1.5.1-7 has introduced PAM, not an insignificant change. Since Arch left the suauth man page in the package, perhaps they broke the functionality by mistake. You should raise a bug report to either fix it or remove the man page.
That will only help you in the short term if Arch are especially responsive. Perhaps they are, I don't know.
Otherwise: you've changed distributors, so you must expect things to be different. Scour the man pages to see if they mention any way the new system can give you the facilities you want. You've been in the game long enough to remember when wheel did anything special, so I'm sure you can do that. How did you find suauth by the way? - it's not in my man su
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39670881
I'm back! Sorry for the delay. The Arch raspberryPi implementation proved too prone to corruption of the SD card to be useable. There was no fsck of the filesystem at boot time and there seemed to be other issues as well. I had to reflash half a dozen times or more. So, I reloaded with Debian (Raspian). This has proven much more stable and I have not had to reflash the OS at all since. It does do fsck at boot time which I think helps a lot to clean things up from a graceless shutdown (very common with RaspberryPis).

Back to the problem, now with Debian. Now, I DO NOT have man suauth. man su makes no mention of /etc/suauth. So, I think my system is now configured more like what you are used to.

So, the original, hopefully simple question remains: is there is or is there isn't a way to do:

su -

without having to enter the password each time? I don't care if the tool is PAM or whatever, I'd just like to know if/how I can do this. I can't seem to figure it out on my own.
0
 
LVL 35

Accepted Solution

by:
Duncan Roe earned 1500 total points
ID: 39670906
Not as far as I know. Except, you could try rebuilding standard shadow-utils to get suauth back
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 39685521
Thanks -- I'll move on!
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question