HPE Community
Operating System - HP-UX
1834156 Members
2407 Online
110064 Solutions
New Discussion

Re: enable accounts su'able

 
lbdwag
Frequent Advisor

‎07-14-2008 06:21 AM

‎07-14-2008 06:21 AM

enable accounts su'able

How is this done?

I cannot SU or SUDO from my account, even though I did add my account to the group that is suppose to have SU rights. At the moment I cannot think of where/which file this is controlled by.

-- Don
0 Kudos
Reply
13 REPLIES 13
Pete Randall
Outstanding Contributor

‎07-14-2008 06:31 AM

‎07-14-2008 06:31 AM

Re: enable accounts su'able

There is a "SU_ROOT_GROUP" parameter in the /etc/default/security file which would mean you have to be a member of a certain group in order to su. Take a look at that.


Pete

Pete
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-14-2008 06:33 AM

‎07-14-2008 06:33 AM

Re: enable accounts su'able

All account can 'su' to another account, IF you know the password.

The only account that can 'su' to another account without a password is root.

If you want to use 'sudo' to do this you must edit the sudoers file appropriately. This should be done with the 'visudo' command.

What specifically have you tried and what error messages are you getting?
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-14-2008 06:35 AM

‎07-14-2008 06:35 AM

Re: enable accounts su'able

The SU_ROOT_GROUP is applicable only when su'ing to root. Only members of the group as defined in /etc/default/security would be allowed to su to root.
0 Kudos
Reply
lbdwag
Frequent Advisor

‎07-14-2008 06:48 AM

‎07-14-2008 06:48 AM

Re: enable accounts su'able

I have the "SU_ROOT_GROUP" parameter in the /etc/default/security set to a group that I created, since wheel was/is not defined on my system. My account is a member of this group, and I know the root password. Is there something else that I am missing/not understanding?
-- Don
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-14-2008 07:42 AM

‎07-14-2008 07:42 AM

Re: enable accounts su'able

What exactly are you trying to do? What happens when you do it?

A copy/paste of the commands issued and errors received would be helpful.
0 Kudos
Reply
lbdwag
Frequent Advisor

‎07-14-2008 07:57 AM

‎07-14-2008 07:57 AM

Re: enable accounts su'able

$ su
Password:
su: Sorry

$ su - root
Password:
su: Sorry



These work:

$ su - anotheruser
Password:
(c)Copyright 1983-2006 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsyst



$ su - myaccount
Password:
(c)Copyright 1983-2006 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsyst
-- Don
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎07-14-2008 11:34 AM

‎07-14-2008 11:34 AM

Re: enable accounts su'able

> $ su
> Password:
> su: Sorry

Looks like a bad password...su (unlike sudo) does not have a permission configuration (except in /etc/default/security if present). Can anyone else use su to login as root? Make sure that su is really su:

type su
su is /usr/bin/su
what /usr/bin/su
/usr/bin/su:
$Revision: @(#) su R11.11_BL2006_0308_2 PATCH_11.11 PHCO_34545

sudo is completely different and your ability to run a command as root is governed by the sudoers file. The system administrator controls the contents of the sudoers file.



Bill Hassell, sysadmin
0 Kudos
Reply
lbdwag
Frequent Advisor

‎07-14-2008 11:38 AM

‎07-14-2008 11:38 AM

Re: enable accounts su'able

here is my output:

$ type su
su is /usr/bin/su
$ what /usr/bin/su
/usr/bin/su:
$Revision: B.11.31_LR


I have 2 accounts on this box, and neither can su.

For sudo, I guess we/you/whoevertheadminis just needs to create the sudoers file, since it is not on the system by default?
-- Don
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-14-2008 11:51 AM

‎07-14-2008 11:51 AM

Re: enable accounts su'able

If you have installed sudo, then the sudoers file will be somewhere. Depending on the package it could be /etc/sudoers or /usr/local/etc/sudo/sudoers or /opt/iexpress/sudo/etc/sudoers.

If you do not have a sudoers file, then I would guess that sudo is not actually installed.

When you su above, you are using the password for 'root' there, correct?
0 Kudos
Reply
lbdwag
Frequent Advisor

‎07-14-2008 12:07 PM

‎07-14-2008 12:07 PM

Re: enable accounts su'able

Yes I am using the root password.
-- Don
0 Kudos
Reply
lbdwag
Frequent Advisor

‎07-15-2008 10:17 AM

‎07-15-2008 10:17 AM

Re: enable accounts su'able

Ok, the deal with this is/was the password. I changed it and su worked, then changed it back to the original password and it still worked.

We had issues with the root password when we installed the system and had to reset it in simple/single user mode. I guess if I really wanted to see if that is what caused the issue would be to go in and set it via that mode and see if it breaks SU...
-- Don
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-15-2008 10:54 AM

‎07-15-2008 10:54 AM

Re: enable accounts su'able

When you set the password in single user mode (NOTE: There is no simple user mode) were there any special characters in your password? Was this done from the console?

If there were special characters, then they may have, unknown to you, interacted with the terminal and caused some unexpected behavior.

See the WARNINGS section of the passwd man page for characters to avoid in your passwords.
0 Kudos
Reply
lbdwag
Frequent Advisor

‎07-15-2008 10:56 AM

‎07-15-2008 10:56 AM

Re: enable accounts su'able

yes there were special characters, and they were set over iLO, yet another possible issue.

Sometimes the simplest of issues can be so frustrating.
-- Don
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.