Date: Mon, 28 May 2007 16:13:19 -0400 From: Schiz0 <schiz0phrenic21@gmail.com> To: "Conrad J. Sabatier" <conrads@cox.net>, jerrymc@msu.edu Cc: freebsd-questions@freebsd.org Subject: Re: Locked Myself Out - Cannot "su" Message-ID: <8d23ec860705281313o6f9e8f1ar2a3ed997cde48985@mail.gmail.com> In-Reply-To: <8d23ec860705271922i1ec2760cvb15d015c97fbdabd@mail.gmail.com> References: <8d23ec860705271617v60fab47fo264e8aa43120338a@mail.gmail.com> <200705280115.l4S1FirT088605@serene.no-ip.org> <8d23ec860705271922i1ec2760cvb15d015c97fbdabd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/27/07, Schiz0 <schiz0phrenic21@gmail.com> wrote: > On 5/27/07, Conrad J. Sabatier <conrads@cox.net> wrote: > > On Sun, 27 May 2007 19:17:20 -0400 > > Schiz0 <schiz0phrenic21@gmail.com> wrote: > > > > > This is one of those things where after you realize what you've done, > > > you just want to smack yourself. > > > > > > I've been working on hardening my FreeBSD 6.2-Stable box. I disabled > > > root login from everywhere, including the console (The box isn't > > > physically secure, so I didn't want anyone screwing around). Now, me > > > being stupid, didn't reboot after making all these changes to harden > > > it. So I finally rebooted (With the secure level set to 2) and I found > > > that I can't run "su." I get the following error: > > > > > > $ su - > > > su: not running setuid > > > > > > I can't shutdown since I can't become root, so I pulled the plug and > > > rebooted into single-user mode. I edited /etc/rc.conf and set > > > kern_securelevel_enable="NO" > > > > > > I rebooted again, but for some reason I still get the same error for > > > "su." > > > > > > So basically, I locked myself out of my box completely. I fail :-( > > > > > > su has the following permissions: > > > -r-sr-xr-x 1 root wheel schg 12240 May 13 13:15 su > > > > > > And sudo isn't installed, unfortunately. Any ideas of how to get root > > > back? > > > > > > Thanks! > > > > First, you need to make sure that ttyv0 is *not* set to "insecure" > > in /etc/ttys, so no login/password will be needed in single-user mode: > > > > ttyv0 "/usr/libexec/getty Pc" cons25l1 on secure > > > > This *should* allow you to use single-user mode once again as root. > > > > Then, make sure that any user you want to have su capability is listed > > in /etc/group under the "wheel" entry: > > > > wheel:*:0:root,foouser > > > > After that, any other problems you may encounter will have to be dealt > > with as they arise. Post a followup if you still have trouble. > > > > HTH > > > > -- > > Conrad J. Sabatier <conrads@cox.net> > > > > > > Well I do know the root password, so I can get into single user mode > even though the console is marked insecure. So that's not a problem. > > I just checked /etc/group and my username is NOT in the wheel group. > I'm not in front the system right now to reboot it into single user > mode and change /etc/group, but hopefully when I do, it will solve the > problem. It's weird though, because I've been using this box fine for > the past two months. I was able to su to root during that time. It's > very strange that my username's group was changed automatically out of > the wheel group. > > Thank you for your help! > Hm, this is odd. /etc/group contains: wheel:*:0:root,steve (My username is "steve") I rebooted (SecureLevel is still disabled) and logged in as "steve." Then I tried to run "su - root" and I got the same error: $ su - root su: not running setuid But it's weird, because in the permissions for "su" it does have the suid flag: $ ls -l /usr/bin/ |grep su -r-sr-xr-x 1 root wheel 12240 May 13 13:15 su Also, when I dropped to single-user mode, I edited my /etc/login.access and enabled root login on the console. But now I when I try to login as root, I get the error: login: pam_acct_mgmt(): authentication error I definitely remember what root's password is. I even changed root's password in single-user mode, and it still doesn't let me login. I don't think the box is compromised; this isn't a production server at all, only a home HTTP/FTP server for personal use.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8d23ec860705281313o6f9e8f1ar2a3ed997cde48985>