[SOLVED] su: Permission Denied as root

cmhuggins · 11-05-2019, 11:09 AM

I have finished my current build using the SVN checkout of the book, adding Linux-PAM and CrackLib to my system (yes, I have rebuilt shadow and systemd). Following the directions provided by the SVN BLFS book, running `su - <username>`, all I get is `su: Permission denied` when running it as root. My /etc/pam.d/su is as it looks in the book (provided below). I am currently chrooting into the system with the command provided by the LFS book. Is there a bug that I am unaware of, or did I miss something that should've been painfully obvious?

EDIT: Adding root to the 'wheel' group does not change it
EDIT2: Using shadow NOT compiled with PAM does work

/etc/pam.d/su:

Code:

# Begin /etc/pam.d/su

# always allow root
auth      sufficient  pam_rootok.so

# Allow users in the wheel group to execute su without a password
# disabled by default
#auth      sufficient  pam_wheel.so trust use_uid

# include system auth settings
auth      include     system-auth

# limit su to users in the wheel group
auth      required    pam_wheel.so use_uid

# include system account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session settings
session   include     system-session

# End /etc/pam.d/su

/dev/random · 11-05-2019, 02:26 PM

Quote:

Originally Posted by cmhuggins

I have finished my current build using the SVN checkout of the book, adding Linux-PAM and CrackLib to my system (yes, I have rebuilt shadow and systemd). Following the directions provided by the SVN BLFS book, running `su - <username>`, all I get is `su: Permission denied` when running it as root. My /etc/pam.d/su is as it looks in the book (provided below). I am currently chrooting into the system with the command provided by the LFS book. Is there a bug that I am unaware of, or did I miss something that should've been painfully obvious?

EDIT: Adding root to the 'wheel' group does not change it
EDIT2: Using shadow NOT compiled with PAM does work

/etc/pam.d/su:

Code:

# Begin /etc/pam.d/su

# always allow root
auth      sufficient  pam_rootok.so

# Allow users in the wheel group to execute su without a password
# disabled by default
#auth      sufficient  pam_wheel.so trust use_uid

# include system auth settings
auth      include     system-auth

# limit su to users in the wheel group
auth      required    pam_wheel.so use_uid

# include system account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session settings
session   include     system-session

# End /etc/pam.d/su

You are setting the default environment variables to nothing, instead of reading /etc/environment
This should fix that. Also if you add root user to group wheel you need to logout for it to take effect

Code:

session       required   pam_env.so readenv=1

cmhuggins · 11-06-2019, 08:00 AM

Even with adding readenv=1 to /etc/pam.d/su, nothing has changed. I have recompiled CrackLib, Linux-PAM, and shadow (just to make sure there was nothing missing in terms of deps) but to no avail. Still getting permission denied from su. I will post additional configurations when I can copy them out of my distro.

EDIT: So, I realized I was some how missing /etc/pam.d/system-session... It's almost like if you're missing a single configuration file, things don't work

Keith Hedger · 11-06-2019, 08:07 AM

Silly question I know but does the user name you are trying to use actually exist?

cmhuggins · 11-06-2019, 08:11 AM

User does exist, I was missing /etc/pam.d/system-session, even though I literally copied the commands from the book...