RE: [leaf-user] lshd / additional users on bering - su command
any other ideas on login or su? As 'root', do: chmod +4111 /path/to/su If 'su' isn't run suid, then most likely /etc/shadow isn't being read because 'su' is running as your non-root user. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer - ok, i tried chmod, still get the password incorrect reply from su. the output of ls -l of su didn't change after chmod. it is and was: ls -l -rwxr-xr-x 1rootroot 9504May 17 18:24 this is what I see when logged in as the user (not root). if i read it correctly (without consulting my book), i think it should be executable by anybody, and is. is there something that needs to be done to /etc/shadow? i really don't know this stuff, just grasping. i noticed that with ls -l /etc/shadow looks like: -rw--- 1 root shadow 774 May 17 18:27 so i tried chmod +x but still got the same password error. then i thaught, it doesn't need world exec it needs world read. so i did chmod +r on shadow, and now ls -l gives: -rwxr-xr-x 1 root shadow 744May 17 18:27 then, i logged out and back in as the user, and when i tried su and entered the password, it said: su: cannot set groups: Operation not permitted so, it looks like the password incorrect issue was that /etc/shadows was not readable by su when run in the users shell (is this a correct interpetation?) now, it appears the password is read and validates with su, but i get this new error. any ideas? thanks - ted --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] lshd / additional users on bering - su command
On Thursday 29 May 2003 09:25 am, Theodore Wynnychenko wrote: any other ideas on login or su? As 'root', do: chmod +4111 /path/to/su If 'su' isn't run suid, then most likely /etc/shadow isn't being read because 'su' is running as your non-root user. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer - ok, i tried chmod, still get the password incorrect reply from su. the output of ls -l of su didn't change after chmod. it is and was: ls -l -rwxr-xr-x 1rootroot 9504May 17 18:24 this is what I see when logged in as the user (not root). if i read it correctly (without consulting my book), i think it should be executable by anybody, and is. Yes, it is executable by anybody, but runs as the user calling it and can't read the necessary root-only readable files. You have to set the permissions for the binary to run as root (suid bit) regardless of the user calling it. I told you only root could change the binary permissions (' As 'root', do:'), so your either going to have to login as root to fix this or modify your system so anyone with access under any reason can get all password information from you box. This is a file-permissions 101 question, I gave you the correct information to fix it with last post...either you can use it or ignore it, I really don't care. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] lshd / additional users on bering - su command
lynn- sorry, i wasn't ignoring anything. i guess i just didn't say it. but i did EXACTLY what you suggested. i logged in as ROOT (via lshd), and typed chmod +411 /usr/local/bin/su after this i logged out, went back to and reconnected, and logged back in as the user. trying SU gave me the same password error message. sorry for the misunderstand. i don't want you to think that i was ignoring your advice, i wasn't. i guess my reply didn't make it clear that i had followed your suggestion to the letter, and that it didn't change the error message. that's when i went and looked at the /etc/shadow file and tried chaning it's permissions, and that's when the error message changed. so. to be clear. I logged in as ROOT. i entered CHMOD +4111 /usr/local/bin/su. i logged out. i logged back in as the user. i entered su. i entered the root password. the error message was NOT CHANGED. so, then i changed read permission on /etc/shadow (as root) now, instead of getting and su: incorrect password error message, i get an su: cannot set groups: Operation not permitted error message. are you implying with your comments that the second error message is also indicative of a problem with the permissions under which su is running? i also didn't think about the issue of making the password file available to anyone that logs in. certainly, that is not a good idea. but chmod +4111 /path/to/su executed as root, did not change the error/problem. thanks for your - ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lynn Avants Sent: Thursday, May 29, 2003 8:57 AM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] lshd / additional users on bering - su command On Thursday 29 May 2003 09:25 am, Theodore Wynnychenko wrote: any other ideas on login or su? As 'root', do: chmod +4111 /path/to/su If 'su' isn't run suid, then most likely /etc/shadow isn't being read because 'su' is running as your non-root user. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer - ok, i tried chmod, still get the password incorrect reply from su. the output of ls -l of su didn't change after chmod. it is and was: ls -l -rwxr-xr-x 1rootroot 9504May 17 18:24 this is what I see when logged in as the user (not root). if i read it correctly (without consulting my book), i think it should be executable by anybody, and is. Yes, it is executable by anybody, but runs as the user calling it and can't read the necessary root-only readable files. You have to set the permissions for the binary to run as root (suid bit) regardless of the user calling it. I told you only root could change the binary permissions (' As 'root', do:'), so your either going to have to login as root to fix this or modify your system so anyone with access under any reason can get all password information from you box. This is a file-permissions 101 question, I gave you the correct information to fix it with last post...either you can use it or ignore it, I really don't care. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] lshd / additional users on bering - su command
On Thursday 29 May 2003 10:11 am, Theodore Wynnychenko wrote: lynn- sorry, i wasn't ignoring anything. i guess i just didn't say it. but i did EXACTLY what you suggested. i logged in as ROOT (via lshd), and typed chmod +411 /usr/local/bin/su after this i logged out, went back to and reconnected, and logged back in as the user. trying SU gave me the same password error message. It was chmod +4111 /usr/local/bin/su, with 4 numerals...the prefix is the suid/guid/sticky column. sorry for the misunderstand. i don't want you to think that i was ignoring your advice, i wasn't. i guess my reply didn't make it clear that i had followed your suggestion to the letter, and that it didn't change the error message. that's when i went and looked at the /etc/shadow file and tried chaning it's permissions, and that's when the error message changed. That is because the binary is running as your user, not 'root'. You didn't say you tried this as 'root', but rather as a non-root user that doesn't have permissions to change root/root owned files. Su is owned by 'root/root' correct??? so. to be clear. I logged in as ROOT. i entered CHMOD +4111 /usr/local/bin/su. i logged out. i logged back in as the user. i entered su. i entered the root password. the error message was NOT CHANGED. so, then i changed read permission on /etc/shadow (as root) now, instead of getting and su: incorrect password error message, i get an su: cannot set groups: Operation not permitted error message. are you implying with your comments that the second error message is also indicative of a problem with the permissions under which su is running? i also didn't think about the issue of making the password file available to anyone that logs in. certainly, that is not a good idea. but chmod +4111 /path/to/su executed as root, did not change the error/problem. thanks for your - ted Still indicates that the owner/permissions are wrong, otherwise it would be able to read /etc/shadow and /etc/groups. Changing permissions on /etc/shadow is a _big_ security risk. Ok, the permissions for /bin/su on my box are: ls -al /bin/su -rwsr-xr-x1 root root22904 Apr 26 14:50 /bin/su The s in the owner column is for 'suid', which the command I gave you sets. Su _must_ run as root and w/o the suid bit set the command runs as the user calling the binary. I don't know what to say I've tried it on my machine and it works. No problem with the time, I just want to see it work as well.. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] lshd / additional users on bering - su command
Lynn pretty much covered this one, but I wanted to add one suggestion. After you run the chmod (not CHMOD; Unix/Linux is case sensitive) command as Lynn advises, then run ls -l /usr/local/bin/su to verify that the permissions are set properly (that is, that they match the example Lynn showed you from his system). Do NOT change permissions on /etc/passwd or /etc/shadow (or /etc/group, the file that probably caused your last error message). If the su command still does not work after you make this change, report back with ... output of ls -l /usr/local/bin/su output ls ls -l /bin/passwd output of ls -l /etc/shadow output of ls -l /etc/passwd ... and the exact command you enter and the exact error you get. I'm also a bit perplexed by the utmp problem you reported, though this one I can recreate here on a test Bering system I set up. It looks as though the utmp file is not being properly updated in some way ... I remember seeing this problem before, but many years ago, back in the days of 1.x kernels. Very odd ... unless it is some security measure I am unfamiliar with (Jacques??). At 10:11 AM 5/29/2003 -0500, Theodore Wynnychenko wrote: lynn- sorry, i wasn't ignoring anything. i guess i just didn't say it. but i did EXACTLY what you suggested. i logged in as ROOT (via lshd), and typed chmod +411 /usr/local/bin/su after this i logged out, went back to and reconnected, and logged back in as the user. trying SU gave me the same password error message. sorry for the misunderstand. i don't want you to think that i was ignoring your advice, i wasn't. i guess my reply didn't make it clear that i had followed your suggestion to the letter, and that it didn't change the error message. that's when i went and looked at the /etc/shadow file and tried chaning it's permissions, and that's when the error message changed. so. to be clear. I logged in as ROOT. i entered CHMOD +4111 /usr/local/bin/su. i logged out. i logged back in as the user. i entered su. i entered the root password. the error message was NOT CHANGED. so, then i changed read permission on /etc/shadow (as root) now, instead of getting and su: incorrect password error message, i get an su: cannot set groups: Operation not permitted error message. are you implying with your comments that the second error message is also indicative of a problem with the permissions under which su is running? i also didn't think about the issue of making the password file available to anyone that logs in. certainly, that is not a good idea. but chmod +4111 /path/to/su executed as root, did not change the error/problem. [older stuff deleted] --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] lshd / additional users on bering - su command
thanks for everyone's help and input. you know what they say - a little knowldege is a dangerous thing. anyway, su now works. basically, as root i did: chmod 4111 /usr/local/bin/su (not chmod +4111 /usr/local/bin/su - the +411 in my last email was a typo - i had been trying +4111) i don't really know linux very well at all, but when i saw what the permisions should actually look like, i played a little with the chmod command. and removing the + character did the trick. ls -l for su now reads: ---s--x--x and this works fine. i don't think i really need to have read/write access to su, do I? and if i do, i can always change that later as root, right? (obviously, i also DID NOT save to floppy any of my experimentation on /etc/shadow. just reboot and all the mistakes i may have made are gone) thanks for everyones help. ted --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] lshd / additional users on bering - su command
On Thursday 29 May 2003 03:02 pm, Theodore Wynnychenko wrote: thanks for everyone's help and input. NP basically, as root i did: chmod 4111 /usr/local/bin/su (not chmod +4111 /usr/local/bin/su - the +411 in my last email was a typo - i had been trying +4111) i don't really know linux very well at all, but when i saw what the permisions should actually look like, i played a little with the chmod command. and removing the + character did the trick. Hmmm... must be a BusyBox thing with 'chmod'. The +, as you noticed, isn't required. Just when I thought I was familiar with the BB usage.. Glad it's working! -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] lshd / additional users on bering - su command
Lynn -- I didn't comment initially, because I'm not sure of what I'm about to say. But on other systems I've used, this problem arises when su is not properly set up to use PAM password processing. Hence, every possible password (including the right one) reads as incorrect. The original poster is dropping a version of su made for one LEAF variant (Dach, probably) into a different LEAF variant (Bering). He may well be running into this sort of problem. But as I said, I'm not sure about this. Normally, disabling root logins in regular sshd does NOT prevent use of su. (I routinely set up sshd this way on my servers.) I'd be surprised if lsh is different here ... but once more, I cannot be certain. At 10:21 PM 5/27/2003 -0500, Lynn Avants wrote: On Tuesday 27 May 2003 10:26 pm, [EMAIL PROTECTED] wrote: well, again thanks. hearing that it had worked for others without major issues made me go back over some basics. I had a relatively OLD copy of putty, so i got a newer release. Now, lshd works. Finally, I can do away with the the extra monitor (back to the basement). anyway, i have one final question. i was thinking of adding a second user to the bering box. (i understand, in theory, it is best to log on as a user, and su to root). so, i found the faq on the leaf site at sourceforge by Charles Steinkuehler and David Douthitt, and followed the instructions. now i have a second user and can log in with it. Doesn't really matter, you get a root login on the connection either way. however, when i tried su, i got an unkown command response. so, i found an su binary on Charles Steinkuehler's LEAF/LRP Website, added it to /usr/local/bin, and now i have the command. BUT, if i log in as the user and try su, i get the password prompt, but i always get su: incorrect password in reply to my attempt to get to root (i have tried a number of times, i am sure i typed the password correctly). Try putting it in /sbin or /bin, I haven't heard of it not working, but possibly it is not finding the correct path. is there something else i need to do make this work? (i had been planning on disabling root-login via lshd if i got this working, but it isn't really that big an issue.) If you disable the root-login, you won't be able to 'su' to root IIRC. Possibly I'm wrong here though. --- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] lshd / additional users on bering - su command
On Wednesday 28 May 2003 10:02 am, Ray Olszewski wrote: Lynn -- I didn't comment initially, because I'm not sure of what I'm about to say. But on other systems I've used, this problem arises when su is not properly set up to use PAM password processing. Hence, every possible password (including the right one) reads as incorrect. Dach doesn't use PAM, and the passwd system is the same with Bering in the cases I've been through. Su should be compatible. [...] Normally, disabling root logins in regular sshd does NOT prevent use of su. (I routinely set up sshd this way on my servers.) I'd be surprised if lsh is different here ... but once more, I cannot be certain. Allright, I wasn't sure about this. I would suppose there could be a permission or path error instead. It will be really difficult to know what is wrong w/o havin direct access to the box, but not much *could* be wrong with simply adding a single binary. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] lshd / additional users on bering - su command
again, i would like to thank everyone for their input. yes, the su binary comes from (i think) the Dach distribution. there is not a problem with path. the command does execute when it resides in /usr/local/bin. in fact, if i log in as root, i can su to root (no password required), and i do get a root shell, within the outer root shell. certainly, this is not a problem related to lshd or sshd (i was merely tagging this question to the end of the previous one). the issue seems to be with password authetication, as was mentioned in a prior reply. is there anything i can do to fix this? or, what other information can i provide to help with diagnosis of the problem? i am currently running bering 1.0. thanks - ted On Wed, 28 May 2003 09:32:43 -0500 Lynn Avants wrote: On Wednesday 28 May 2003 10:02 am, Ray Olszewski wrote: Lynn -- I didn't comment initially, because I'm not sure of what I'm about to say. But on other systems I've used, this problem arises when su is not properly set up to use PAM password processing. Hence, every possible password (including the right one) reads as incorrect. Dach doesn't use PAM, and the passwd system is the same with Bering in the cases I've been through. Su should be compatible. [...] Normally, disabling root logins in regular sshd does NOT prevent use of su. (I routinely set up sshd this way on my servers.) I'd be surprised if lsh is different here ... but once more, I cannot be certain. Allright, I wasn't sure about this. I would suppose there could be a permission or path error instead. It will be really difficult to know what is wrong w/o havin direct access to the box, but not much *could* be wrong with simply adding a single binary. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] lshd / additional users on bering - su command
At 12:22 PM 5/28/2003 -0500, [EMAIL PROTECTED] wrote: again, i would like to thank everyone for their input. yes, the su binary comes from (i think) the Dach distribution. there is not a problem with path. the command does execute when it resides in /usr/local/bin. in fact, if i log in as root, i can su to root (no password required), and i do get a root shell, within the outer root shell. certainly, this is not a problem related to lshd or sshd (i was merely tagging this question to the end of the previous one). the issue seems to be with password authetication, as was mentioned in a prior reply. is there anything i can do to fix this? or, what other information can i provide to help with diagnosis of the problem? i am currently running bering 1.0. [old stuff deleted] See if you can lsh in as ordinary_user, then run login to log in as root. --- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] lshd / additional users on bering - su command
thanks Ray. i tried using login. after connecting via lsh with a user account i tried login. i also tried login root, exec login, exec login root they all return the same message: No utmp entry. you must exec login from the lowest level sh also, when i use the exec login versions above, the bering box immediately closes the lsh connection. ps ax gives me: (i don't really know if/why this is relevant) PID UidVmSize Stat Command 3362user 1316S -sh 19627 user 1796R ps ax I did find a utmp file in /var/run, and tried removing it, but then i get the same message, and, in addition I also get file not found messages (i guess i thaught that by removing it, the file would get recreated and magically work) anyway, that's what i get. is there another way to log in with a non-root account (into lshd) and then get to root? any other ideas on login or su? thanks again - ted At 12:22 PM 5/28/2003 -0500, [EMAIL PROTECTED] wrote: again, i would like to thank everyone for their input. yes, the su binary comes from (i think) the Dach distribution. there is not a problem with path. the command does execute when it resides in /usr/local/bin. in fact, if i log in as root, i can su to root (no password required), and i do get a root shell, within the outer root shell. certainly, this is not a problem related to lshd or sshd (i was merely tagging this question to the end of the previous one). the issue seems to be with password authetication, as was mentioned in a prior reply. is there anything i can do to fix this? or, what other information can i provide to help with diagnosis of the problem? i am currently running bering 1.0. [old stuff deleted] See if you can lsh in as ordinary_user, then run login to log in as root. --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] lshd / additional users on bering - su command
On Wednesday 28 May 2003 06:15 pm, Theodore Wynnychenko wrote: any other ideas on login or su? As 'root', do: chmod +4111 /path/to/su If 'su' isn't run suid, then most likely /etc/shadow isn't being read because 'su' is running as your non-root user. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html