[Bug 827845] New: Acquiring a root shell with "su" fails with message "su: Authentication failure"
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c0 Summary: Acquiring a root shell with "su" fails with message "su: Authentication failure" Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 2 Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: vlukas@gmx.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.21 (KHTML, like Gecko) konqueror/4.10.4 Safari/537.21 If I type in "su" on the console to get a root shell, after a few seconds (ca. 3) the message "su: Authentication failure" appears and root privileges are not available. Reproducible: Always Steps to Reproduce: 1. Enter "su" at the console / at a shell. Actual Results: The message "su: Authentication failure" appears. Expected Results: The command should ask for the root password and open a privileged shell after verifying password. An apparently associated message appearing in "journalctl -n" is: --------------------------------------------------- Jul 02 18:53:41 linux-xxxx su[6324]: pam_warn(su:auth): function=[pam_sm_authenticate] service=[su] terminal=[pts/5] user=[root] ruser=[lima] rhost=[<unknown>] Jul 02 18:53:41 linux-xxxx su[6324]: FAILED SU (to lima) lima on none --------------------------------------------------- (hostname is redacted) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c FeiXiang Zhang <fxzhang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |mail@bernhard-voelker.de |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c1 --- Comment #1 from Bernhard Voelker <mail@bernhard-voelker.de> 2013-07-16 05:53:35 UTC --- Can't be reproduced here. Please provide the following information: a) Has this system been freshly installed or upgraded/updated? b) RPM version of util-linux and coreutils $ rpm -q util-linux coreutils Expected: util-linux-2.23.1-4.3.x86_64 coreutils-8.21-4.3.x86_64 c) Version of su binary $ su --version Expected: su from util-linux 2.23.1 d) su's PAM configuration $ /bin/ls -ld /bin/su /etc/default/su /etc/pam.d/su \ /etc/pam.d/su-l /usr/bin/su Expected: lrwxrwxrwx 1 root root 11 Jul 11 14:41 /bin/su -> /usr/bin/su -rw-r--r-- 1 root root 313 Jul 8 10:14 /etc/default/su -rw-r--r-- 1 root root 277 Jul 8 10:14 /etc/pam.d/su -rw-r--r-- 1 root root 277 Jul 8 10:14 /etc/pam.d/su-l -rwsr-xr-x 1 root root 31744 Jul 8 10:15 /usr/bin/su Without the above information, my wild guess is that this system has been updated from time to time from previous factory versions, but without doing every intermediate update step needed for the "move-su-to-util-linux" trickery. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c Bernhard Voelker <mail@bernhard-voelker.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c2 --- Comment #2 from Volker Lukas <vlukas@gmx.de> 2013-07-21 15:53:24 UTC --- Answers to the above questions: a) This installation was first set up some years ago. It was always a factory installation, updated frome time to time (ca. every few weeks recently). b) $ rpm -q util-linux coreutils util-linux-2.23.1-4.3.x86_64 coreutils-8.21-4.3.x86_64 c) $ su --version su from util-linux 2.23.1 d) $ /bin/ls -ld /bin/su /etc/default/su /etc/pam.d/su \
/etc/pam.d/su-l /usr/bin/su lrwxrwxrwx 1 root root 11 Jul 14 23:20 /bin/su -> /usr/bin/su lrwxrwxrwx 1 root root 20 May 20 20:53 /etc/default/su -> /etc/default/su.core lrwxrwxrwx 1 root root 18 May 20 20:53 /etc/pam.d/su -> /etc/pam.d/su.core lrwxrwxrwx 1 root root 20 May 20 20:53 /etc/pam.d/su-l -> /etc/pam.d/su-l.core -rwsr-xr-x 1 root root 31744 Jul 8 10:15 /usr/bin/su
Additional information: $ ls -l /etc/default total 28 -rw-r--r-- 1 root root 1757 Jul 11 13:55 nss -rw-r--r-- 1 root root 2002 Jul 5 23:33 passwd -rw-r--r-- 1 root root 734 Jul 6 19:19 splashy -rw-r--r-- 1 root root 709 Jan 27 2008 splashy.rpmnew -rw-r--r-- 1 root root 709 Jan 21 2008 splashy.rpmsave lrwxrwxrwx 1 root root 20 May 20 20:53 su -> /etc/default/su.core -rw-r--r-- 1 root root 313 Jun 14 17:14 su.rpmnew -rw-r--r-- 1 root root 118 Jul 5 23:28 useradd $ ls -l /etc/pam.d/ total 188 -rw-r--r-- 1 root root 217 Jul 6 03:49 atd -rw-r--r-- 1 root root 167 Jul 5 23:28 chage -rw-r--r-- 1 root root 199 Jul 5 23:28 chfn -rw-r--r-- 1 root root 199 Jul 5 23:28 chpasswd -rw-r--r-- 1 root root 199 Jul 5 23:28 chsh lrwxrwxrwx 1 root root 28 Aug 20 2007 common-account -> /etc/pam.d/common-account-pc -rw-r--r-- 1 root root 378 Feb 9 2007 common-account.pam-config-backup -rw-r--r-- 1 root root 446 Jul 14 23:32 common-account-pc -rw-r--r-- 1 root root 446 Aug 18 2007 common-account-pc.bak -rw-r--r-- 1 root root 392 Nov 13 2012 common-account.rpmnew lrwxrwxrwx 1 root root 25 Aug 20 2007 common-auth -> /etc/pam.d/common-auth-pc -rw-r--r-- 1 root root 448 Feb 9 2007 common-auth.pam-config-backup -rw-r--r-- 1 root root 522 Jul 14 23:32 common-auth-pc -rw-r--r-- 1 root root 522 Aug 18 2007 common-auth-pc.bak -rw-r--r-- 1 root root 462 Nov 13 2012 common-auth.rpmnew lrwxrwxrwx 1 root root 29 Aug 20 2007 common-password -> /etc/pam.d/common-password-pc -rw-r--r-- 1 root root 855 Feb 9 2007 common-password.pam-config-backup -rw-r--r-- 1 root root 433 Jul 14 23:32 common-password-pc -rw-r--r-- 1 root root 423 Aug 18 2007 common-password-pc.bak -rw-r--r-- 1 root root 510 Jun 5 13:45 common-password.rpmnew lrwxrwxrwx 1 root root 28 Aug 20 2007 common-session -> /etc/pam.d/common-session-pc -rw-r--r-- 1 root root 435 Feb 9 2007 common-session.pam-config-backup -rw-r--r-- 1 root root 504 Jul 14 23:32 common-session-pc -rw-r--r-- 1 root root 472 Aug 18 2007 common-session-pc.bak -rw-r--r-- 1 root root 450 Nov 13 2012 common-session.rpmnew -rw-r--r-- 1 root root 446 Jul 6 02:11 crond -rw-r--r-- 1 root root 172 Jul 5 23:28 groupadd -rw-r--r-- 1 root root 172 Jul 5 23:28 groupdel -rw-r--r-- 1 root root 172 Jul 5 23:28 groupmod -rw-r--r-- 1 root root 216 Jul 5 23:28 init -rw-r--r-- 1 root root 164 May 28 01:12 kcheckpass -rw-r--r-- 1 root root 419 Jul 14 23:39 login -rw-r--r-- 1 root root 419 Jul 14 23:39 login.old -rw-r--r-- 1 root root 397 Jun 27 2012 login.rpmnew -rw-r--r-- 1 root root 451 Sep 11 2008 login.rpmsave -rw-r--r-- 1 root root 172 Jul 5 23:28 newusers -rw-r--r-- 1 root root 251 Jul 8 09:38 other -rw-r--r-- 1 root root 133 Jul 5 23:28 passwd -rw-r--r-- 1 root root 165 Jul 8 14:56 polkit-1 -rw-r--r-- 1 root root 336 Jul 6 11:34 pure-ftpd -rw-r--r-- 1 root root 492 Jul 8 10:14 remote -rw-r--r-- 1 root root 165 Jul 6 11:31 smtp -rw-r--r-- 1 root root 336 Jul 6 02:23 sshd lrwxrwxrwx 1 root root 18 May 20 20:53 su -> /etc/pam.d/su.core -rw-r--r-- 1 root root 203 Jul 11 15:52 sudo lrwxrwxrwx 1 root root 20 May 20 20:53 su-l -> /etc/pam.d/su-l.core -rw-r--r-- 1 root root 277 Jun 14 17:14 su-l.rpmnew -rw-r--r-- 1 root root 277 Jun 14 17:14 su.rpmnew -rw-r--r-- 1 root root 172 Jul 5 23:28 useradd -rw-r--r-- 1 root root 172 Jul 5 23:28 userdel -rw-r--r-- 1 root root 172 Jul 5 23:28 usermod -rw-r--r-- 1 root root 204 Sep 3 2008 xdm -rw-r--r-- 1 root root 206 May 10 2012 xdm-np Your answer helped! If I move the old su and su-l links in /etc/default and /etc/pam.d out of the way and after that rename su.rpmnew and su-l.rpmnew to su and su-l my su works as expected. If you agree that this was the right way to fix my installation, this issue can be closed as far as I am concerned. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c3 --- Comment #3 from Bernhard Voelker <mail@bernhard-voelker.de> 2013-07-21 16:14:20 UTC --- Thanks for the information. Yes, that was the right fix. It looks indeed like the system has skipped an update step of the "move-su-to-util-linux" trickery, and that the final packages of coreutils and util-linux got to this host in one step. I'd consider this as normal fallout - we know of only 3 systems with this effect. Thanks, and sorry for the inconvenience. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c4 andreas bittner <abittner@abittner.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abittner@abittner.de --- Comment #4 from andreas bittner <abittner@abittner.de> 2013-09-09 14:06:49 UTC --- good day, I was about to report that I just recently did a milestone1 to factory (milestone3 that day) upgrade via zypper dup in a virtualbox, and after reboot the result was that the system was not able to do a "su -" any more at all. same error pretty much immediately gotton displayed in terminal, that authentication failed. this system is no more possible to acquire root access this way. i dont know about those graphical shell ways from inside kde or yast modules or similar if those are also based on su or sudo and what else might be affected. regards. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c5 --- Comment #5 from andreas bittner <abittner@abittner.de> 2013-09-09 14:20:33 UTC --- actually I can still alt+f2 or similar and use root username there and log in as root on this test installation currently the package versions are util-linux-2.23.1-4.6.i586 coreutils-8.21-6.2-i586 su --version su from util-linux 2.23.1 actually it already displays milestone4 in SuSE-release I did this dup a few days ago I think with the factory repos or similar regards -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c6 --- Comment #6 from andreas bittner <abittner@abittner.de> 2013-09-09 15:55:14 UTC --- did another zypper dup with factory repo like half an hour ago and it updated 400+ packages once again, still displaying as milestone4, and it has still the "su -" problem going nowhere and displaying authentication error fail after a little while without the possibility to change to root. :( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c7 --- Comment #7 from andreas bittner <abittner@abittner.de> 2013-09-09 15:57:30 UTC --- util-linux, coreutils and su --version version numbers/output havent changed at all. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c8 --- Comment #8 from andreas bittner <abittner@abittner.de> 2013-09-20 11:37:23 UTC --- dont quite understand this situation as someone privatemessaged me (kind of useless to the cause of these bugreports being public, everbody should profit from it) my hosed milestone4 machine upgraded to beta1 today via booting from the .iso image and upgrading it. and the sudo functionality is still borked why is this not a bug being handled or why did this break in the first place? how is an enduser supposed to mess up the sudo or authentication layer this thoroughly? i think this is a rather serious bug, maybe its a rare bug, but still, i didnt mess the system up by manually messing with files, all i did was normal upgrade events with zypper anyone caring for this bug? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827845 https://bugzilla.novell.com/show_bug.cgi?id=827845#c9 --- Comment #9 from Bernhard Voelker <mail@bernhard-voelker.de> 2013-09-20 12:08:20 UTC --- The problem reported by the OP was solved by manual interaction. The reason for that issue was the move of su(1) from coreutils to util-linux which had to be done in several update steps. If the intermediate step has been skipped and the update has been done in one go, then this PAM failure was possible. Please note that this is usually not happening to non-factory users. So far for the OP ... and at this point the bug report should be closed. Re. your problem (and what I therefore wrote you "privatemessaged": I don't know the exact situation on your installation, and you failed to provide such information. Therefore, I can only repeat what I wrote you and point you to the analysis steps in #c1:
Please look at comment#1: https://bugzilla.novell.com/show_bug.cgi?id=827845#c1 and compare that to the situation on your system, especially the PAM configuration files. Are they as described there?
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com