Re: su: pam_start failed

To: Thomas Klausner <wiz%NetBSD.org@localhost>
Subject: Re: su: pam_start failed
From: RVP <rvp%SDF.ORG@localhost>
Date: Mon, 10 Mar 2025 12:14:13 +0000 (UTC)

On Mon, 10 Mar 2025, Thomas Klausner wrote:

I've created a new sandbox using pkgtools/mksandbox and it looks fine
AFAICT.

However, when I change inside and want to switch user to an
unprivileged one, I get

su: pam_start failed

without any further details.


Works for me:

```
Script started on Mon Mar 10 11:41:48 2025
CoreBook# uname -a
NetBSD CoreBook.local 10.99.12 NetBSD 10.99.12 (COREBOOK) #0: Mon Mar 10 06:49:40 UTC 2025  bld@CoreBook.local:/tmp/obj/usr/src/sys/arch/amd64/compile/COREBOOK amd64
CoreBook# cd pkgsrc/pkgtools/mksandbox/files/
CoreBook# ls
CVS          mksandbox    mksandbox.8
CoreBook# ./mksandbox --pkgsrc=/tmp/pkgsrc /tmp/S
WARNING: LOCALPATCHES directory does not exist - ignoring
Copying the kernel
Checking package hierarchy in /usr/pkg and package database in /usr/pkg/pkgdb exist
Make and populate /tmp/S/dev
Make and populate /tmp/S/etc
Make empty dirs upon which to mount the null mounts
Making /tmp in /tmp/S
Making /var/games in /tmp/S
Making /var/run in /tmp/S
Making /var/log in /tmp/S
Making /var/spool/lock in /tmp/S
Making /var/run/utmp in /tmp/S
Making /var/run/utmpx in /tmp/S
Making /var/log/wtmp in /tmp/S
Making /var/log/wtmpx in /tmp/S
Making /var/log/lastlog in /tmp/S
Making /var/log/lastlogx in /tmp/S
Mount /usr/src from /tmp/S
Mount /tmp/pkgsrc from /tmp/S
Mounting /tmp/pkgsrc/packages and /tmp/pkgsrc/distfiles from /tmp/S
Mount /usr/xsrc from /tmp/S
Sandbox creation is now complete
CoreBook# /tmp/S/sandbox chroot
CoreBook# pwd
/
CoreBook# mkdir -p /root /home/bld
CoreBook# chown bld:bld /home/bld
CoreBook# su -l bld
$ whoami
bld
$ ^D
CoreBook# su -l
# whoami
root
# ^D

CoreBook# CoreBook#CoreBook#CoreBook# ^D


Script done on Mon Mar 10 11:44:21 2025
```

How can I get more details?


Inside the sandbox, add `debug' to each of the module arguments in /etc/pam.d/su:

```
auth            sufficient      pam_rootok.so           no_warn debug
auth            sufficient      pam_self.so             no_warn debug
[...]
````

Then, add a line like this to /etc/syslog.conf in the sandbox:

```
*.debug                                                 /var/log/messages
```

Finally, run syslogd(8) after touch(1)ing `/var/log/messages', also in the sandbox:

```
syslogd -s
```

Now, the /var/log/messages in the sandbox should have PAM logs from su(1).

-RVP

Follow-Ups:
- Re: su: pam_start failed
  - From: Thomas Klausner

References:
- su: pam_start failed
  - From: Thomas Klausner

Prev by Date: su: pam_start failed
Next by Date: Re: su: pam_start failed
Previous by Thread: su: pam_start failed
Next by Thread: Re: su: pam_start failed
Indexes:

Home | Main Index | Thread Index | Old Index