From owner-freebsd-questions@FreeBSD.ORG Mon May 28 23:43:05 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DA4EF16A541 for ; Mon, 28 May 2007 23:43:05 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.247]) by mx1.freebsd.org (Postfix) with ESMTP id 05D7113C4B0 for ; Mon, 28 May 2007 23:43:04 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so533818anc for ; Mon, 28 May 2007 16:43:03 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ADmM7kUwPgDOi104sGahc3hyzLoq8ytDnO2zPj1ojzjdJ7QL2IiRDRMNK9CuPHYFkqp+y1aCtkKJYMdxcJEAaHR+6d6XIehRKXadlEF6zTCByMovyJwGWlshj6aTOBN4bvZ2yrAdruq+jLqcRfKw87+RKJ2LpR5wZzktwKwlg8g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=rVkBigjCmbzv4qRhiWMn3OEGeOJHhq1n6mDlDmWWVx5cHHvjRm9K/co/PyfoiTKyD66WzhCInDFmkUklBEVTBiL9V4/B78tpUDqP5+g9XYUENJBu9Io+yDJLztT/HxU0WK8SxMnSZrJS37mXZC7p5gfDAq7RNFQCdNRPJM/a52k= Received: by 10.100.202.13 with SMTP id z13mr4825649anf.1180395782894; Mon, 28 May 2007 16:43:02 -0700 (PDT) Received: by 10.100.124.4 with HTTP; Mon, 28 May 2007 16:43:02 -0700 (PDT) Message-ID: Date: Tue, 29 May 2007 07:43:02 +0800 From: "Daniel Marsh" To: Schiz0 In-Reply-To: <8d23ec860705281313o6f9e8f1ar2a3ed997cde48985@mail.gmail.com> MIME-Version: 1.0 References: <8d23ec860705271617v60fab47fo264e8aa43120338a@mail.gmail.com> <200705280115.l4S1FirT088605@serene.no-ip.org> <8d23ec860705271922i1ec2760cvb15d015c97fbdabd@mail.gmail.com> <8d23ec860705281313o6f9e8f1ar2a3ed997cde48985@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: jerrymc@msu.edu, "Conrad J. Sabatier" , freebsd-questions@freebsd.org Subject: Re: Locked Myself Out - Cannot "su" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 23:43:06 -0000 On 5/29/07, Schiz0 wrote: > > On 5/27/07, Schiz0 wrote: > > On 5/27/07, Conrad J. Sabatier wrote: > > > On Sun, 27 May 2007 19:17:20 -0400 > > > Schiz0 wrote: > > > > > > > This is one of those things where after you realize what you've > done, > > > > you just want to smack yourself. > > > > > > > > I've been working on hardening my FreeBSD 6.2-Stable box. I disabled > > > > root login from everywhere, including the console (The box isn't > > > > physically secure, so I didn't want anyone screwing around). Now, me > > > > being stupid, didn't reboot after making all these changes to harden > > > > it. So I finally rebooted (With the secure level set to 2) and I > found > > > > that I can't run "su." I get the following error: > > > > > > > > $ su - > > > > su: not running setuid > > > > > > > > I can't shutdown since I can't become root, so I pulled the plug and > > > > rebooted into single-user mode. I edited /etc/rc.conf and set > > > > kern_securelevel_enable="NO" > > > > > > > > I rebooted again, but for some reason I still get the same error for > > > > "su." > > > > > > > > So basically, I locked myself out of my box completely. I fail :-( > > > > > > > > su has the following permissions: > > > > -r-sr-xr-x 1 root wheel schg 12240 May 13 13:15 su > > > > > > > > And sudo isn't installed, unfortunately. Any ideas of how to get > root > > > > back? > > > > > > > > Thanks! > > > > > > First, you need to make sure that ttyv0 is *not* set to "insecure" > > > in /etc/ttys, so no login/password will be needed in single-user mode: > > > > > > ttyv0 "/usr/libexec/getty Pc" cons25l1 on secure > > > > > > This *should* allow you to use single-user mode once again as root. > > > > > > Then, make sure that any user you want to have su capability is listed > > > in /etc/group under the "wheel" entry: > > > > > > wheel:*:0:root,foouser > > > > > > After that, any other problems you may encounter will have to be dealt > > > with as they arise. Post a followup if you still have trouble. > > > > > > HTH > > > > > > -- > > > Conrad J. Sabatier > > > > > > > > > > Well I do know the root password, so I can get into single user mode > > even though the console is marked insecure. So that's not a problem. > > > > I just checked /etc/group and my username is NOT in the wheel group. > > I'm not in front the system right now to reboot it into single user > > mode and change /etc/group, but hopefully when I do, it will solve the > > problem. It's weird though, because I've been using this box fine for > > the past two months. I was able to su to root during that time. It's > > very strange that my username's group was changed automatically out of > > the wheel group. > > > > Thank you for your help! > > > > Hm, this is odd. /etc/group contains: > wheel:*:0:root,steve > (My username is "steve") > > I rebooted (SecureLevel is still disabled) and logged in as "steve." > Then I tried to run "su - root" and I got the same error: > $ su - root > su: not running setuid > > But it's weird, because in the permissions for "su" it does have the suid > flag: > $ ls -l /usr/bin/ |grep su > -r-sr-xr-x 1 root wheel 12240 May 13 13:15 su > > Also, when I dropped to single-user mode, I edited my > /etc/login.access and enabled root login on the console. But now I > when I try to login as root, I get the error: > login: pam_acct_mgmt(): authentication error > > I definitely remember what root's password is. I even changed root's > password in single-user mode, and it still doesn't let me login. I > don't think the box is compromised; this isn't a production server at > all, only a home HTTP/FTP server for personal use. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > Have you mounted any file systems with the nosuid flag? Type: mount to check. Also have a look in your /etc/fstab If you have mounted a filesystem with nosuid then regardless of the flags on the file it wont run as suid. Thanks