Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Today i have one problem when i change the user account by using 'su - ' command.
If I use "su -" command it will display following message "incorrect password".
Do you have any troubleshooting procedures or fixes for this issue? Any help would be much appreciated. Thanks.
'su -' only is for login in as root and you should supply your root password when it asks for one. you can do 'su - someuser' when you are root and login as someuser.
Do you mean that you put in a password and it errors? The password required with su is the one belonging to the account that you are switching to. sudo is the one that uses your account's password.
Or did you mean that you don't get the chance to enter a password?
It could be that PAM needs to be re-configured. I don't use PAM - I'd suggest asking one of the mods if they can move this thread to the Redhat forum so that other PAM users can help.
Dear All,
I am using RHEL-4 and just now I upgraded my system. When I enter a command su - username. It shows incorrect password. when I create a new user now also I could not swith to that user account. I searched all the solution for this issue in the net.It does not work. Kindly give me your suggestion.
Regards,
Thamizh
Yes. I updated my system. After that only I have faced this problem.
here is my /etc/pam.d/su file
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required /lib/security/$ISA/pam_selinux.so open multiple
session optional /lib/security/$ISA/pam_xauth.so
Just to clear up what su does...
If you are user other than root, you can use su to become root, if you know the root password.
If you are already root, then you can type su [user] and you will become that user, some of the previous posts seem to not quite understand the use of su, but as far as the PAM issue with Redhat goes, I have absolutely no idea, I have no experience with RedHat sorry!
here is the solution to ur problem
sign in as root
and then set the sticky bit of /etc/shadow and /usr/bin/passwd
if it still not work set sticky bit to /etc/passwd file..
command is
# chmod 1700 /usr/bin/passwd
# chmod 1700 /etc/shadow
# chmod 1700 /etc/passwd
then again sign in as normal user in another terminal and try to switch user..
here is the solution to ur problem
sign in as root
and then set the sticky bit of /etc/shadow and /usr/bin/passwd
if it still not work set sticky bit to /etc/passwd file..
command is
# chmod 1700 /usr/bin/passwd
# chmod 1700 /etc/shadow
# chmod 1700 /etc/passwd
then again sign in as normal user in another terminal and try to switch user..
huh?? wait, what problem are you referring to?? cuz /etc/shadow and /etc/passwd don't need any special permissions... on most distros 644 will suffice for /etc/passwd (root:root) and 640 will suffice for /etc/shadow (root:shadow)... why would you want to give them a sticky bit and make them executable??
plus if one were to give /usr/bin/passwd the perms you are suggesting then nobody would be able to use it except root... what you want is to SUID it and let users execute it, like:
Now do this at your own risk, and understand this is just a guess.
Make a backup copy of that "su" pam file just in case you need to restore it.
Code:
session required /lib/security/$ISA/pam_selinux.so open multiple
I believe this is the line that is messing su up.
Changing "required" to "optional" may work, but again thats a guess.
However I think what that line does is denies access to su unless the pam su file is configured with a certain allow rule. Like the rootmembers-access or wheel group based su.
So you could also try to change
Code:
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
to
Code:
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required /lib/security/$ISA/pam_wheel.so use_uid
Then add the user you are trying to su as to the wheel group.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.