From owner-freebsd-questions@FreeBSD.ORG Mon May 28 01:15:46 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E6B1416A4E1 for ; Mon, 28 May 2007 01:15:46 +0000 (UTC) (envelope-from conrads@cox.net) Received: from eastrmmtao104.cox.net (eastrmmtao104.cox.net [68.230.240.46]) by mx1.freebsd.org (Postfix) with ESMTP id 8C6D113C45B for ; Mon, 28 May 2007 01:15:46 +0000 (UTC) (envelope-from conrads@cox.net) Received: from eastrmimpo01.cox.net ([68.1.16.119]) by eastrmmtao104.cox.net (InterMail vM.7.05.02.00 201-2174-114-20060621) with ESMTP id <20070528011546.YKYZ17922.eastrmmtao104.cox.net@eastrmimpo01.cox.net>; Sun, 27 May 2007 21:15:46 -0400 Received: from serene.no-ip.org ([72.200.17.85]) by eastrmimpo01.cox.net with bizsmtp id 4RFl1X0051q7YRk0000000; Sun, 27 May 2007 21:15:45 -0400 Received: from serene.no-ip.org (localhost [127.0.0.1]) by serene.no-ip.org (8.14.1/8.14.1) with ESMTP id l4S1FirT088605; Sun, 27 May 2007 20:15:45 -0500 (CDT) (envelope-from conrads@cox.net) Message-Id: <200705280115.l4S1FirT088605@serene.no-ip.org> Date: Sun, 27 May 2007 20:15:44 -0500 From: "Conrad J. Sabatier" To: Schiz0 In-Reply-To: <8d23ec860705271617v60fab47fo264e8aa43120338a@mail.gmail.com> References: <8d23ec860705271617v60fab47fo264e8aa43120338a@mail.gmail.com> X-Mailer: Claws Mail 2.9.1 (GTK+ 2.10.12; amd64-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Locked Myself Out - Cannot "su" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 01:15:47 -0000 On Sun, 27 May 2007 19:17:20 -0400 Schiz0 wrote: > This is one of those things where after you realize what you've done, > you just want to smack yourself. > > I've been working on hardening my FreeBSD 6.2-Stable box. I disabled > root login from everywhere, including the console (The box isn't > physically secure, so I didn't want anyone screwing around). Now, me > being stupid, didn't reboot after making all these changes to harden > it. So I finally rebooted (With the secure level set to 2) and I found > that I can't run "su." I get the following error: > > $ su - > su: not running setuid > > I can't shutdown since I can't become root, so I pulled the plug and > rebooted into single-user mode. I edited /etc/rc.conf and set > kern_securelevel_enable="NO" > > I rebooted again, but for some reason I still get the same error for > "su." > > So basically, I locked myself out of my box completely. I fail :-( > > su has the following permissions: > -r-sr-xr-x 1 root wheel schg 12240 May 13 13:15 su > > And sudo isn't installed, unfortunately. Any ideas of how to get root > back? > > Thanks! First, you need to make sure that ttyv0 is *not* set to "insecure" in /etc/ttys, so no login/password will be needed in single-user mode: ttyv0 "/usr/libexec/getty Pc" cons25l1 on secure This *should* allow you to use single-user mode once again as root. Then, make sure that any user you want to have su capability is listed in /etc/group under the "wheel" entry: wheel:*:0:root,foouser After that, any other problems you may encounter will have to be dealt with as they arise. Post a followup if you still have trouble. HTH -- Conrad J. Sabatier