su root

[killerkim]

hello Forum,

I am wondering about the behaviour in my terminal. As a normal user, I normally can only switch to root if I am in the wheel group. But when I check my group association with "groups", I am currently only in my own usergroup (groups gives me "killerkim" only in the shell). Why can I although switch to root? I must say, I have switched the user into the wheel group, but used pw groupmod to cancel the groupb membership because of security reason.

 

[SirDice]

You need to log out and back in again for the 'new' group memberships to activate. Same deal when removing groups.

 

[killerkim]

I did logout and restart, etc. I can stil su as root, although I am not in the group "wheel". Could it be a bug perhaps? How can I see, which members the group "wheel" has?

 

[Beastie]

How can I see, which members the group "wheel" has?

% grep wheel /etc/group

 

[SirDice]

Also check /etc/pam.d/su:

# auth
auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            requisite       pam_group.so            no_warn [b]group=wheel[/b] root_only fail_safe
auth            include         system

 

[SirDice]

How can I see, which members the group "wheel" has?

% grep wheel /etc/group

Or [cmd=]pw groupshow wheel[/cmd]

:stud

 

[killerkim]

Also check /etc/pam.d/su:

# auth
auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            requisite       pam_group.so            no_warn [b]group=wheel[/b] root_only fail_safe
auth            include         system

I have the same lines in my /etc/pam.d/su file. pw groupshow wheel gives me wheel:*:0:
Does the star mean, that everyone can su as root?

thx

 

[killerkim]

I am still wondering, because the handbook says, that only members from the wheel membership can su as root?

 

[Beastie]

pw groupshow wheel gives me wheel:*:0:

And after that? Don't you have root?

Does the star mean, that everyone can su as root?

No it stands for the group's "password".

I am still wondering, because the handbook says, that only members from the wheel membership can su as root?

That's right.

 

[killerkim]

@beasti: I don't want my user to be able to switch to root. But he can stil su as root, although he is not in the wheel group.

 

[Beastie]

You haven't answered my question: do you have root after wheel:*:0: (i.e. wheel:*:0:root,...) or not? It's possible /etc/group is corrupt. Just a wild guess...

 

[killerkim]

You haven't answered my question: do you have root after wheel:*:0: (i.e. wheel:*:0:root,...) or not? It's possible /etc/group is corrupt. Just a wild guess...

No, there is only
wheel:*:0:

Not
wheel:*:0:root

?? Seems, my group file is corrupt?

 

[killerkim]

I now tried

pw groupmod wheel -m root

Now the wheel entry in groupfile is

wheel:*:0:root

My normal users can't su as root anymore

 

[SirDice]

From pam_group(8):

fail_safe If the specified group does not exist, or has no members, act as if it does exist and the applicant is a member.