Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: User can't "su -" to root
Operating Systems Linux User can't "su -" to root Post 302989803 by Gabriander on Wednesday 18th of January 2017 11:58:47 AM
Old 01-18-2017
User can't "su -" to root
Hello.

I have a RHEL 7.2 where a regular user can't make a "su -" to reach root account:
Code:
server532:t711740:/$ id
uid=75456(t711740) gid=10000(personales) groups=10000(personales),10(wheel)

tehrh532:t711740:/$ su -
Password:
su: Permission denied

But can make "sudo su -"
Code:
server532:t711740:/$ sudo su -
[sudo] password for t711740:

server532:root:/root# id
uid=0(root) gid=0(root) groups=0(root),70000(emergencia)

What could be the problem? Any idea?
Code:
server532:root:/root# grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash

server532:root:/root# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
tty0
tty1
tty2
tty3
tty4
tty5
tty6

server532:root:/root# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so group=wheel root_only use_uid
auth            include         system-auth-su
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         optional        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         include         system-auth
session         optional        pam_xauth.so

server532:root:/root# ls -l /bin/su
-rwsr-xr-x. 1 root root 32072 Aug 21  2015 /bin/su

 

9 More Discussions You Might Find Interesting

1. HP-UX

Creating a "semi" root user? Is it possible?

Hello All, I work as a system admin at a company of about 600 users on a HP-UX server. We have an IT department of about 15. My problem is that we give out the root password to the majority of them, they are phone support techs, as they need to get in to kill processes and setup users and... (4 Replies)
Discussion started by: Setan
4 Replies

2. Solaris

sendmail "root... User address required." error

I'm running sendmail (8.13.8+Sun/8.13.8/Submit) solaris 10. When I send mail to root at the command line (whether I use a full-qualified address or just root), I get the error message root... User address required. Sending mail to root (either at the command line or in a cron job),... (10 Replies)
Discussion started by: csgonan
10 Replies

3. UNIX for Dummies Questions & Answers

Possible to give non root user sudo to "crontab -l"

Does anyone know if this is possible? I want to give some users access to root's crontab but only with a read privilege. Is this possible to do or can only root or people with full root sudo view root's cron? (4 Replies)
Discussion started by: LordJezoX
4 Replies

4. Red Hat

error"warning: user owen does not exist - using root"?

I am trying to install openmotif22-2.2.3-18.src.rpm, after I typed in " rpm -i openmotif22-2.2.3-18.src.rpm" the following message comes out: warning: user owen does not exist - using root warning: group owen does not exist - using root I am install openmotif under root account. Do... (2 Replies)
Discussion started by: fishwater00
2 Replies

5. UNIX for Advanced & Expert Users

How to allow particular user only to login as a root using "ssh" ?

Q1 I want to allow particular user only to login into root using ssh. I have set PermitRootLogin no for security purpose but I want to allow some of the users to login as a root using ssh how to do this? I have tried with Allowusers user1 user2 its working for only the user1 and... (3 Replies)
Discussion started by: ungalnanban
3 Replies

6. Solaris

"! bad user (root)" in cron log

I am getting the following error in the cron log: ! bad user (root) Wed Sep 22 14:30:00 2010 < root 8989 c Wed Sep 22 14:30:00 2010 rc=1 What does this mean? (5 Replies)
Discussion started by: jastanle84
5 Replies

7. AIX

Change "root" to "root.admin" in outgoing e-mails

Our AIX servers send e-mails which have the "from" address set to "root@company.com" for our root user ("C{M}company.com" in /etc/sendmail.cf). The problem is that when bad e-mails are sent out or rejected by remote servers, they are being returned and delivered to e-mail box of "Mary Root". ... (2 Replies)
Discussion started by: kah00na
2 Replies

8. Shell Programming and Scripting

Root running a script calling to scp using user "xyz" is not authenticating!

Close duplicate thread. (0 Replies)
Discussion started by: denissi
0 Replies

9. UNIX for Beginners Questions & Answers

How to run root level command , if user has "su -" permission in sudoers provided?

I am looking t run root level command on multiple servers, but all servers have only "su - " permission available in sudoers. please help me if any way that I can run command using help of "su -" My script for hosts in `cat hosts.txt`; do echo "###########################Server Name-... (5 Replies)
Discussion started by: yash_message
5 Replies

LEARN ABOUT SUSE

pam_wheel

PAM_WHEEL(8)							 Linux-PAM Manual						      PAM_WHEEL(8)

NAME

       pam_wheel - Only permit root access to members of group wheel

SYNOPSIS

       pam_wheel.so [debug] [deny] [group=name] [root_only] [trust] [use_uid]

DESCRIPTION

       The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits root access to the system if the applicant
       user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0.

OPTIONS

       debug
	   Print debug information.

       deny
	   Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of
	   the group option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in
	   which case we return PAM_SUCCESS).

       group=name
	   Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication.

       root_only
	   The check for wheel membership is done only.

       trust
	   The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play
	   stacking the modules the wheel members may be able to su to root without being prompted for a passwd).

       use_uid
	   The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one
	   account to another for example).

MODULE TYPES PROVIDED

       The auth and account module types are provided.

RETURN VALUES

       PAM_AUTH_ERR
	   Authentication failure.

       PAM_BUF_ERR
	   Memory buffer error.

       PAM_IGNORE
	   The return value should be ignored by PAM dispatch.

       PAM_PERM_DENY
	   Permission denied.

       PAM_SERVICE_ERR
	   Cannot determine the user name.

       PAM_SUCCESS
	   Success.

       PAM_USER_UNKNOWN
	   User not known.

EXAMPLES

       The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants.

	   su	   auth     sufficient	   pam_rootok.so
	   su	   auth     required	   pam_wheel.so
	   su	   auth     required	   pam_unix.so

SEE ALSO

       pam.conf(5), pam.d(5), pam(8)

AUTHOR

       pam_wheel was written by Cristian Gafton <gafton@redhat.com>.

Linux-PAM Manual						    04/01/2010							      PAM_WHEEL(8)
All times are GMT -4. The time now is 03:34 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy