Subject: bin/29891: su(1) does not seem to honor SU_ROOTAUTH any more
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <arto@selonen.org>
List: netbsd-bugs
Date: 04/05/2005 09:35:00
>Number: 29891
>Category: bin
>Synopsis: su(1) does not seem to honor SU_ROOTAUTH any more
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Apr 05 09:35:00 +0000 2005
>Originator: Arto Selonen
>Release: NetBSD-current 3.99.3 ~20050404
>Organization:
>Environment:
NetBSD blah 3.99.3 NetBSD 3.99.3 (BLAH) #0: Mon Apr 4 14:25:52 EEST 2005 blah@blah:/obj/sys/arch/i386/compile/BLAH i386
>Description:
I've used pkgsrc/sysutils/sux with SU_ROOTAUTH set to 'rootauth'
in /etc/mk.conf. This has worked well, even with PAM (uncommenting
one line in /etc/pam.d/su).
When upgrading a current from ~20050204 using whatever sources
anoncvs us2 mirror gave on 20050404, I am no longer able to use
su unless I belong to 'wheel' group (never needed that before).
% id
uid=520(blah) gid=520(blah) groups=520(blah),50000(rootauth)
% sux
su: You are not listed in the correct secondary group (wheel) to su root.
su: Sorry: authentication error
Exit 1
% su
su: You are not listed in the correct secondary group (wheel) to su root.
su: Sorry: authentication error
Exit 1
% fgrep SU_ /etc/mk.conf
SU_ROOTAUTH= rootauth
man page is not clear whether one would need to *also* set SU_GROUP,
but previously it was not necessary. Since this can lock people out
from remotely administered systems, I'm filing it as serious/medium.
I have not tested setting SU_GROUP (and don't intend to). As a workaround one could go to 'wheel'.
I noted a thread 'su and PAM' in current-users on March, 2005 which
had somewhat similar symptoms. In that thread the problem disappeared
after rebuilding from scratch, so I tried that too. Removing all object
directories + $DESTDIR and rebuilding still produces the 'wheeling' su.
Here is what a similar setup on 2.99.15 gives me:
% uname -mr
2.99.15 i386
% id
uid=520(blah) gid=520(blah) groups=520(blah),50000(rootauth)
% fgrep SU_ /etc/mk.conf
SU_ROOTAUTH= rootauth
% sux
Password:
#
I happened to have one 2.99.16 system from ~20050307, and there
su/sux does not work any longer, but requires 'wheel'. So, the change
was done some time between 20050204 and 20050307.
>How-To-Repeat:
1) Stock -current
2) set SU_ROOTAUTH=somename in /etc/mk.conf
3) create group 'somename' with a member in it
4) upgrade -current
5) install pkgsrc/sysutils/sux
6) note that account belonging to 'somename' group can not use su/sux
>Fix: