Date: Fri, 31 Aug 2001 15:06:30 +1000 From: "Glen Hollings" <GHollings@admin.gil.com.au> To: <security@freebsd.org> Subject: Broken SU Message-ID: <B9C04FEB4B4EA74696488AE05045588728D27B@postal.admin.gil.com.au>
next in thread | raw e-mail | index | archive | help
Has anyone ever experenced a broken SU command?
I cant seem to SU to root when logged in as any 'normal' user....
eg
normuser@bsdbox normuser]$su -m
Password:
(stalls after this)
Or if I put in the wrong password
normuser@bsdbox normuser]$su -m
Password:
Sorry
(stalls after this)
it does this...
putting sshd into debug mode doesnt seem to reveal anything of use..
Here is an strace output of an attempted su:
$strace su
execve("/usr/bin/su", ["su"], [/* 20 vars */]) =3D 0
__sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) =3D 0
mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =3D
0x4005e000
geteuid(0xbfbffc1c) =3D 0
getuid() =3D 1002 (euid 0)
open("/var/run/ld-elf.so.hints", O_RDONLY) =3D 3
read(3, "Ehnt\1\0\0\0\200\0\0\0(\0\0\0\0\0\0\0\'\0\0\0\0\0\0\0\0"..., =
128) =3D
128
lseek(3, 128, SEEK_SET) =3D 128
read(3, "/usr/lib:/usr/lib/compat:/usr/lo"..., 40) =3D 40
close(3) =3D 0
access("/usr/lib/libutil.so.3", F_OK) =3D 0
open("/usr/lib/libutil.so.3", O_RDONLY) =3D 3
fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D32848, ...}) =3D 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0h#\0\000"..., =
4096) =3D
4096
mmap(0, 36864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x40066000
mmap(0x4006e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x7000) =3D 0x4006e000
close(3) =3D 0
access("/usr/lib/libskey.so.2", F_OK) =3D 0
open("/usr/lib/libskey.so.2", O_RDONLY) =3D 3
fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D24252, ...}) =3D 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0008\23\0"..., =
4096) =3D
4096
mmap(0, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x4006f000
mmap(0x40073000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x3000) =3D 0x40073000
close(3) =3D 0
access("/usr/lib/libmd.so.2", F_OK) =3D 0
open("/usr/lib/libmd.so.2", O_RDONLY) =3D 3
fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D34272, ...}) =3D 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\17\0\000"..., =
4096)
=3D 4096
mmap(0, 36864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x40076000
mmap(0x4007e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x7000) =3D 0x4007e000
close(3) =3D 0
access("/usr/lib/libcrypt.so.2", F_OK) =3D 0
open("/usr/lib/libcrypt.so.2", O_RDONLY) =3D 3
fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D28588, ...}) =3D 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\16"..., =
4096) =3D
4096
mmap(0, 102400, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x4007f000
mmap(0x40086000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x6000) =3D 0x40086000
mmap(0x40087000, 69632, PROT_READ|PROT_WRITE, =
MAP_PRIVATE|MAP_FIXED|MAP_ANON,
-1, 0) =3D 0x40087000
close(3) =3D 0
access("/usr/lib/libc.so.4", F_OK) =3D 0
open("/usr/lib/libc.so.4", O_RDONLY) =3D 3
fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D572588, ...}) =3D 0
read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\314-\1"..., =
4096) =3D
4096
mmap(0, 622592, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x40098000
mmap(0x40118000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0x7f000) =3D 0x40118000
mmap(0x4011c000, 81920, PROT_READ|PROT_WRITE, =
MAP_PRIVATE|MAP_FIXED|MAP_ANON,
-1, 0) =3D 0x4011c000
close(3) =3D 0
access("/usr/lib/libcrypt.so.2", F_OK) =3D 0
access("/usr/lib/libmd.so.2", F_OK) =3D 0
sigaction(SIGILL, {0x4004f0fc, [], 0}, {SIG_DFL}) =3D 0
sigprocmask(SIG_BLOCK, NULL, []) =3D 0
sigaction(SIGILL, {SIG_DFL}, NULL) =3D 0
sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) =3D 0
sigprocmask(SIG_SETMASK, [], NULL) =3D 0
readlink("/etc/malloc.conf", 0xbfbff6f4, 63) =3D -1 ENOENT (No such file =
or
directory)
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =3D =
0x40130000
break(0x804d000) =3D 0
getpriority(PRIO_PROCESS, 0) =3D 0
setpriority(PRIO_PROCESS, 0, -2) =3D 0
getuid() =3D 1002 (euid 0)
getlogin(0x401203f8, 0x11) =3D 0
geteuid(0x4011b304) =3D 0
break(0x804e000) =3D 0
stat("/etc/spwd.db", {st_mode=3DS_IFREG|0600, st_size=3D40960, ...}) =3D =
0
open("/etc/spwd.db", O_RDONLY) =3D 3
fcntl(3, F_SETFD, FD_CLOEXEC) =3D 0
read(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., =
260) =3D
260
break(0x804f000) =3D 0
break(0x8050000) =3D 0
break(0x8051000) =3D 0
lseek(3, 28672, SEEK_SET) =3D 28672
read(3, "\30\0\373\17\302\17\275\17r\17l\17$\17\37\17\344\16\337"..., =
4096) =3D
4096
break(0x8052000) =3D 0
close(3) =3D 0
geteuid(0x4011b304) =3D 0
stat("/etc/spwd.db", {st_mode=3DS_IFREG|0600, st_size=3D40960, ...}) =3D =
0
open("/etc/spwd.db", O_RDONLY) =3D 3
fcntl(3, F_SETFD, FD_CLOEXEC) =3D 0
read(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., =
260) =3D
260
break(0x8053000) =3D 0
lseek(3, 24576, SEEK_SET) =3D 24576
read(3, "\26\0\373\17\301\17\272\17i\17d\17\23\17\n\17\321\16\314"..., =
4096)
=3D 4096
close(3) =3D 0
geteuid(0x4006e3bc) =3D 0
getegid(0x4006e3bc) =3D 1002
setegid(0Password:
anyone have any ideas?? please!
Thanks
**********************************************
*Glen Hollings | There Cant Be *
*Network Administrator | a Crisis Today,*
*Global Info Links | my schedule is *
*ghollings@admin.gil.com.au | already full. *
**********************************************
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B9C04FEB4B4EA74696488AE05045588728D27B>