Solved Users not in wheel group cannot log in anymore

ssbear

New Member

Thanks: 1
Messages: 18

#1
Hi folks.

This afternoon, I upgraded my system to FreeBSD 10.3-RELEASE-p21 (with a make buildworld, etc... as I do 1 or 2 times per year).

And I don't know if it's related, but since, I can't use user account, except root and wheel users. See:

Try to connect (localhost with su, or with ssh)
Code:
root@**** folder $  su toto
su: /bin/sh: Permission denied
Code:
userok@*** folder $  ssh toto@****
Password for toto@a****:
Last login: Sun Sep 17 00:12:09 2017 from ***.***.***.**.**.***.**
Could not chdir to home directory /home/toto: Permission denied
/bin/sh: Permission denied
Connection to ****.****.*** closed.
But everything seems ok...
Code:
root@**** / $  ls -l /home
total 32836
drwxrwxr-x   2 root     operator       512 Nov  3  2015 .snap/
-r--------   1 root     wheel     33554432 Nov  3  2015 .sujournal
drwxr-xr-x   2 toto     toto           512 Sep 17 00:07 toto/
Code:
root@**** / $  id toto
uid=1006(toto) gid=1006(toto) groups=1006(toto)
Code:
See:
root@**** / $  ls -l /
total 32869
drwxrwxr-x   2 root  operator       512 Jan 20  2014 .snap/
-r--------   1 root  wheel     33554432 Nov  3  2015 .sujournal
-r--r--r--   1 root  wheel         6197 Sep  7  2015 COPYRIGHT
drwxrwxrwx   2 root  wheel         1024 Sep 16 16:58 bin/
d-wx--xr-x  10 root  wheel         1536 Sep 16 21:51 boot/
dr-xr-xr-x   8 root  wheel          512 Sep 16 23:59 dev/
-rw-------   1 root  wheel         4096 Sep 16 23:59 entropy
drwxr-xr-x  21 root  wheel         2560 Sep 17 00:16 etc/
drwxr-xr-x  11 root  wheel         1024 Sep 17 00:07 home/
drwxr-xr-x   3 root  wheel         1536 Sep 16 16:57 lib/
drwxr-xr-x   3 root  wheel          512 Sep 16 16:59 libexec/
drwxr-xr-x   3 root  wheel          512 Aug 13 18:25 mnt/
dr-xr-xr-x   1 root  wheel            0 Sep 17 00:21 proc/
drwxr-xr-x   2 root  wheel         2560 Sep 16 16:57 rescue/
drwxr-xr-x   7 root  wheel          512 Sep 17 00:16 root/
drwxr-xr-x   2 root  wheel         2560 Sep 16 16:58 sbin/
drwxrwxrwt   6 root  wheel          512 Sep 16 23:59 tmp/
drwxr-xr-x  14 root  wheel          512 Sep 16 17:05 usr/
drwxr-xr-x  25 root  wheel         1024 Sep 16 23:59 var/
Code:
root@**** / $  ls -l /bin/sh
-r-xr-xr-x  1 root  wheel  145760 Sep 16 16:57 /bin/sh*
However, if I put 'toto' user in 'wheel' group, it's OK! But I don't want this user in a wheel group. It's weird. It's the only fix I found...

Any ideas? Do you need more information? Thanks a lot!
Thanks a lot.

Regards,
 

sidetone

Aspiring Daemon

Thanks: 313
Messages: 915

#2
I thought it was always required for the user to be in wheel group to use su. Besides ls -l /usr/bin/su shows it to be in the wheel group.

It may be possible to change the group of su by using chown, and make that user part of that group, but then, it will cause problems if other programs/users that need it aren't added to that group also by /etc/group. It's been done before for users who didn't need a wide range of privileges, like limiting only optical drive access to users instead of including them in the full operator group.
 
OP
OP
ssbear

ssbear

New Member

Thanks: 1
Messages: 18

#3
Nah. I don't believe it's related to su rights, because I got the same issue when I try to log with ssh :
- I can only use ssh for users in wheel group
- Same issue, in local, etc...

Code:
userok@**** / $  ssh toto@****
Password for toto@a****:
Last login: Sun Sep 17 00:12:09 2017 from ***.***.***.**.**.***.**
Could not chdir to home directory /home/toto: Permission denied
/bin/sh: Permission denied
Connection to ****.****.** closed.
If if put "toto" in wheel group, I can log in (ssh, local, etc...). Otherwise, I can't. See different examples of my rights folder in the initial post. /bin is readable, /home/toto too. I don't understand.

I tried to turn back to the old version, and same result:
- from now, none of my users can't log in anymore, except wheel group...

Why?
 
OP
OP
ssbear

ssbear

New Member

Thanks: 1
Messages: 18

#4
And the situation is worst:

Code:
root@**** / $  service mysql-server start
Starting mysql.
su: /bin/csh: Permission denied
/usr/local/etc/rc.d/mysql-server: WARNING: failed to start mysql
Cause mysql user is not in wheel group.. Everything was fine yersterday. No log, nothing...
 

sidetone

Aspiring Daemon

Thanks: 313
Messages: 915

#5
I remember reading that adding a user to the wheel group was required for remote ssh logins. So the user will have to belong to the group which the file or command's group is.

It might be possible, if not complicated, by creating a new group, using chown on ssh to set it to that group, then making sure every user that needs it is included to that group in /etc/group. This will risk other programs that have wheel group access by /etc/group to not be able to use it. Perhaps all groups that have access the wheel group should be made to access this new group too, with the exception of the user you wish to restrict. You will need to belong to the wheel group anyway, in order to run any command that belongs under the wheel group, which is most of them. A user can belong to two or more groups.

ls -l /usr/bin/su includes listed
Code:
root:wheel
Is ssh's permission when you run ls -l on it wheel? Run the command to check ssh's user:group settings.

This is the same concept as I wrote in the previous post, except, it's also for ssh and other commands/files.
 
OP
OP
ssbear

ssbear

New Member

Thanks: 1
Messages: 18

#6
See my previous post: even daemon can't run a /bin/sh (mysql has never been in wheel group).

You have to be in wheel group only and only if you want to su to root. See manpage.

I got two other FreeBSD machine besides, and all it's ok, no need to wheel anybody...

Code:
root@***** / $  service mysql-server start
Starting mysql.
su: /bin/csh: Permission denied
/usr/local/etc/rc.d/mysql-server: WARNING: failed to start mysql
I'm pretty sure you'll find this line abnormal :)
 

acheron

Well-Known Member

Thanks: 175
Messages: 443

#7
What are the permissions of /bin/sh, it should be: -r-xr-xr-x 1 root wheel uarch 158K Sep 16 12:56:56 2017 /bin/sh


edit: nm, you already put the answer
 
OP
OP
ssbear

ssbear

New Member

Thanks: 1
Messages: 18

#8
Code:
root@***** /root $  ls -l /bin/sh
-r-xr-xr-x  1 root  wheel  145760 Sep 16 16:57 /bin/sh*
Got the same issue for others shells, csh, tcsh....

Code:
root@***** /root $  ls -l /
total 32873
drwxrwxr-x   2 root  operator       512 Jan 20  2014 .snap/
-r--------   1 root  wheel     33554432 Nov  3  2015 .sujournal
-r--r--r--   1 root  wheel         6197 Sep  7  2015 COPYRIGHT
drwxr-xr-x   2 root  wheel         1024 Sep 16 16:58 bin/
drwxr-xr-x  10 root  wheel         1536 Sep 16 21:51 boot/
dr-xr-xr-x   8 root  wheel          512 Sep 17 09:22 dev/
-rw-------   1 root  wheel         4096 Sep 17 09:22 entropy
drwxr-xr-x  23 root  wheel         2048 Sep 17 10:21 etc/
drwxr-xr-x  23 root  wheel         2048 Sep 17 09:45 etc.old/
drwxr-xr-x  11 root  wheel         1024 Sep 17 00:07 home/
drwxr-xr-x   3 root  wheel         1536 Sep 16 16:57 lib/
drwxr-xr-x   3 root  wheel          512 Sep 16 16:59 libexec/
drwxr-xr-x   3 root  wheel          512 Aug 13 18:25 mnt/
dr-xr-xr-x   1 root  wheel            0 Sep 17 11:03 proc/
drwxr-xr-x   2 root  wheel         2560 Sep 16 16:57 rescue/
drwxr-xr-x   7 root  wheel          512 Sep 17 11:02 root/
drwxr-xr-x   2 root  wheel         2560 Sep 16 16:58 sbin/
drwxrwxrwt   6 root  wheel          512 Sep 17 10:54 tmp/
drwxr-xr-x  14 root  wheel          512 Sep 16 17:05 usr/
drwxr-xr-x  25 root  wheel         1024 Sep 17 09:22 var/

My rights are all OK, I'm going to be crazy... :-(
 

acheron

Well-Known Member

Thanks: 175
Messages: 443

#11
One more thing, . and .. doesn't appear in the output of ls -l /, make sure you have something like that:
Code:
drwxr-xr-x  22 root  wheel     29 Sep 17 10:08 ./ 
drwxr-xr-x  22 root  wheel     29 Sep 17 10:08 ../
 
OP
OP
ssbear

ssbear

New Member

Thanks: 1
Messages: 18

#12
NOPE !
So, I made :
Code:
chmod 755 /.
Code:
chmod 755 /..
And EVERYTHING is OK. Thanks a lot, acheron!
So, next step (after a good sleep) will be to find an explanation of this change ;)
 
Top