From owner-freebsd-security Thu Mar 28 4:44:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id 4799337B416 for ; Thu, 28 Mar 2002 04:44:20 -0800 (PST) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id PAA79046; Thu, 28 Mar 2002 15:43:26 +0300 (MSK) Received: from IBMKA.star.spb.ru (217.195.79.241 [217.195.79.241]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GY0AJDXD; Thu, 28 Mar 2002 15:43:13 +0300 Date: Thu, 28 Mar 2002 15:43:22 +0300 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" X-Priority: 3 (Normal) Message-ID: <159278930741.20020328154322@internethelp.ru> To: radzivilyuk@itt.net.ua ((Radzivilyuk V.O.)) Cc: freebsd-security@freebsd.org Subject: Re[2]: can't su to root In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Radzivilyuk, Thursday, March 28, 2002, 2:51:39 PM, you wrote: RVO> $ls -l /usr/bin/su RVO> -r-sr-xr-x 1 root wheel 8168 Apr 21 2001 /usr/bin/su RVO> for that who don't understand me - RVO> *i am in wheel group* /usr/src/usr.bin/su/su.c is quite simple. Why don't you add some debugging strings in there? grepping su.c for "Sorry" you can see the only one reason for stderring this string: ;---------------begin cut from su.c-------------------- /* if target requires a password, verify it */ if (*pwd->pw_passwd) { #ifdef SKEY #ifdef WHEELSU if (iswheelsu) { pwd = getpwnam(username); } #endif /* WHEELSU */ p = skey_getpass("Password:", pwd, 1); if (!(!strcmp(pwd->pw_passwd, skey_crypt(p, pwd->pw_passwd, pwd, 1)) #ifdef WHEELSU || (iswheelsu && !strcmp(targetpass, crypt(p,targetpass))) #endif /* WHEELSU */ )) { #else p = getpass("Password:"); if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) { #endif #ifdef KERBEROS if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p))) #endif { fprintf(stderr, "Sorry\n"); syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s", username, user, ontty()); exit(1); } } #ifdef WHEELSU if (iswheelsu) { pwd = getpwnam(user); } #endif /* WHEELSU */ } ;----------------end cut --------------------------------- Depending on your values of WHEELSU, SKEY and KERBEROS you need to add only 2-3 debug strings. Try this. I hope it will help you. It helps me quite often. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message