Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 4210

Summary: su doesn't seem to read /etc/suauth
Product: Gentoo Infrastructure Reporter: Wes Morriston <trub9>
Component: BugzillaAssignee: John Davis (zhen) (RETIRED) <zhen>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Wes Morriston 2002-06-26 19:31:10 UTC 
I wanted one user to be able to su to root without entering a password.  I 
created an /etc/suauth file with the following line (where "foo" is the 
user)

     root:foo:NOPASS

Nothing doing.  User foo still has to enter a password.  I even put this 
into /etc/suauth

     root:foo:DENY

Still no change.  User "foo" still gets to su to root.

This is not the behavior that is described in the man pages.  Is this 
intentional?

Wes
Comment 1 Daniel Harding 2002-10-06 22:24:19 UTC 
Gentoo does not use the su from sh-utils but one from the shadow package.  The
latter is compiled to use PAM for authentication, and I am sure there is a PAM
module that will let you do what you are wanting.  However, the shadow ebuild
should probably still be fixed so that the suauth man page is not installed,
since apparently it is not used when PAM is used.
Comment 2 Martin Schlemmer (RETIRED) gentoo-dev 2002-12-03 01:34:12 UTC 
You can do it something like this:

---------------------------------------------------------------
#%PAM-1.0

auth       sufficient   /lib/security/pam_rootok.so

# If you want to restrict users begin allowed to su even more,
# create /etc/security/suauth.allow (or to that matter) that is only
# writable by root, and add users that are allowed to su to that
# file, one per line.
#auth       required     /lib/security/pam_listfile.so item=ruser sense=allow
onerr=fail file=/etc/security/suauth.allow

# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth       sufficient   /lib/security/pam_wheel.so use_uid trust

# Alternatively to above, you can implement a list of users that do
# not need to supply a passwd with a list.
#auth       sufficient   /lib/security/pam_listfile.so item=ruser sense=allow
onerr=fail file=/etc/security/suauth.nopass

# Comment this to allow any user, even those not in the 'wheel'
# group to su
auth       required     /lib/security/pam_wheel.so use_uid

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_xauth.so
----------------------------------------------------

Hope this helps.