I don't know, if it is my pam.d/su config ... But "su -" in xterm window works. And login as root on kdm also. The user who tries kdesu is NOT in the wheel group, BUT its name is in a single line in the "/etc/security/suauth.allow" file. --- So maybe it can help: My /etc/pam.d/su config file: #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so # If you want to restrict users begin allowed to su even more, # create /etc/security/suauth.allow (or to that matter) that is only # writable by root, and add users that are allowed to su to that # file, one per line. auth required /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow # Uncomment this to allow users in the wheel group to su without # entering a passwd. #auth sufficient /lib/security/pam_wheel.so use_uid trust # Alternatively to above, you can implement a list of users that do # not need to supply a passwd with a list. #auth sufficient /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass # Comment this to allow any user, even those not in the 'wheel' # group to su auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so Reproducible: Always Steps to Reproduce: 1.kdesu ls 2. 3. Actual Results: Incorrect password, please try again! And an log entry in /var/log/messages: Aug 2 02:43:07 jolie su[21523]: pam_authenticate: Permission denied Expected Results: the directory as root... ;-) Portage 2.0.50-r9 (default-x86-2004.0, gcc-3.3.3, glibc-2.3.3.20040420-r0, 2.6.7-gentoo-r11) ================================================================= System uname: 2.6.7-gentoo-r11 i686 Intel(R) Pentium(R) 4 CPU 2.53GHz Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium4 -pipe -fomit-frame-pointer -O3" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/init.d /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4 -pipe -fomit-frame-pointer -O3" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS=" http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo http://212.219.247.11/sites/www.ibiblio.org/gentoo/ http://212.219.247.12/sites/www.ibiblio.org/gentoo/ " MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aac aalib acl acpi acpi4linux aim alsa amd apache2 apm arts audiofile avi berkdb bonobo cdr crypt cups dga directfb divx4linux dv dvd dvdr emacs emacs-w3 encode esd ethereal faac faad fam fax fbcon ffmpeg firebird flac foomaticdb gb gdbm geoip ggi gif gimp gimpprint gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hbci icq imagemagick imap imlib ipv6 jabber jack java jce jikes jp2 jpeg kde kerberos ladcca lcms libcaca libg++ libsamplerate libwww lirc live mad maildir matroska matrox memlimit mikmod mldonkeypango mmx motif mozdomi mozilla mozxmlterm mpeg mpeg4 mplayer msn mysql nas ncurses nls ntlm odbc ofx oggvorbis opengl oscar oss pam pcap pcre pdflib perl php png posix postgres ppds pthreads python qt quicktime readline ruby samba scanner sdl silc slang speex spell spl sqlite sse ssl svga tcltk tcpd tetex theora tiff transcode truetype unicode usb v4l v4l2 videos wmf x86 xemacs xml xml2 xmms xosd xprint xv xvid yahoo yv12 zlib zvbi"
your pam.d/su file says that you have to be listed in suauth.allow auth required /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow _and_ be a member of the wheel group auth required /lib/security/pam_wheel.so use_uid "su -" should also fail for you, I don't know why it succeeds (it fails here with the same configuration as you). Try comment out the second entry and see if it works.
Thnx for your answer! When I put myself (user me) in the wheel group --> then it works! BUT as you said: "su -" should also fail for you, I don't know why it succeeds (it fails here with the same configuration as you). Try comment out the second entry and see if it works. This should NOT work, but I removed myself from the wheel group (as you will see below) and a "su -" in an konsole (executes bash -l) WORKS!! (dont ask me why): me@jolie ~ $ groups root lp mail audio video apache mine me@jolie ~ $ su - root's password: /etc/profile >>> terminal type is 'xterm' <<< Executing GLOBAL autoexec.GLOBAL... done Executing HOST specific autoexec.jolie... done jolie ~ # exit logout me@jolie ~ $ ksu root WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for root@EXAMPLE.COM: : No password given Authentication failed. me@jolie ~ $ ksu root ls Usage: ksu [target user] [-n principal] [-c source cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ] me@jolie ~ $ ksu root -e ls account root: authorization failed me@jolie ~ $ You think I should open a NEW bug for pam.d (or su)???
The part about ksu is not relevant, it has nothing to do with kdesu! Anyway, maybe you removed the 'wheel' group from /etc/group, in that case pam_wheel will check against the 'root' group, and you're member of that group.
ksu... hmmm... ooopsi :-) (it was late;-) No, for sure I didn't remove wheel... because either I added ",me" behind "root" or I removed it - not more... ???
What confused me was that it worked for su in any shell WITHOUT being in group wheel! --> I didn't think that it is necessary to be in group wheel... But as it works when I am in the wheel group (as it should how I know now) --> no bug in kdesu (, but maybe in su...)