Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 Mar 2002 15:43:22 +0300
From:      "Nickolay A. Kritsky" <nkritsky@internethelp.ru>
To:        radzivilyuk@itt.net.ua ((Radzivilyuk V.O.))
Cc:        freebsd-security@freebsd.org
Subject:   Re[2]: can't su to root
Message-ID:  <159278930741.20020328154322@internethelp.ru>
In-Reply-To: <AABFmeyqJy@itt.net.ua>
References:  <AABFmeyqJy@itt.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello Radzivilyuk,

Thursday, March 28, 2002, 2:51:39 PM, you wrote:


RVO> $ls -l /usr/bin/su
RVO> -r-sr-xr-x  1  root  wheel 8168   Apr 21  2001 /usr/bin/su

RVO> for that who don't understand me -
RVO> *i am in wheel group*

/usr/src/usr.bin/su/su.c is quite simple. Why don't you add some
debugging strings in there?

grepping su.c for "Sorry" you can see the only one reason for
stderring this string:

;---------------begin cut from su.c--------------------
                /* if target requires a password, verify it */
                if (*pwd->pw_passwd) {
#ifdef  SKEY
#ifdef WHEELSU
                        if (iswheelsu) {
                                pwd = getpwnam(username);
                        }
#endif /* WHEELSU */
                        p = skey_getpass("Password:", pwd, 1);
                        if (!(!strcmp(pwd->pw_passwd, skey_crypt(p, pwd->pw_passwd, pwd, 1))
#ifdef WHEELSU
                              || (iswheelsu && !strcmp(targetpass, crypt(p,targetpass)))
#endif /* WHEELSU */
                              )) {
#else
                        p = getpass("Password:");
                        if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) {
#endif
#ifdef KERBEROS
                                if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p)))
#endif
                                        {
                                        fprintf(stderr, "Sorry\n");
                                        syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s", username, user, ontty());
                                        exit(1);
                                }
                        }
#ifdef WHEELSU
                        if (iswheelsu) {
                                pwd = getpwnam(user);
                        }
#endif /* WHEELSU */
                }

;----------------end cut ---------------------------------

Depending on your values of WHEELSU, SKEY and KERBEROS you need to add
only 2-3 debug strings. Try this. I hope it will help you. It helps me
quite often.

;-------------------------------------------
; NKritsky
; mailto:nkritsky@internethelp.ru



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?159278930741.20020328154322>