Operating System - HP-UX
1834156 Members
2407 Online
110064 Solutions
New Discussion

Re: enable accounts su'able

 
lbdwag
Frequent Advisor

enable accounts su'able

How is this done?

I cannot SU or SUDO from my account, even though I did add my account to the group that is suppose to have SU rights. At the moment I cannot think of where/which file this is controlled by.

-- Don
13 REPLIES 13
Pete Randall
Outstanding Contributor

Re: enable accounts su'able

There is a "SU_ROOT_GROUP" parameter in the /etc/default/security file which would mean you have to be a member of a certain group in order to su. Take a look at that.


Pete

Pete
Patrick Wallek
Honored Contributor

Re: enable accounts su'able

All account can 'su' to another account, IF you know the password.

The only account that can 'su' to another account without a password is root.

If you want to use 'sudo' to do this you must edit the sudoers file appropriately. This should be done with the 'visudo' command.

What specifically have you tried and what error messages are you getting?
Patrick Wallek
Honored Contributor

Re: enable accounts su'able

The SU_ROOT_GROUP is applicable only when su'ing to root. Only members of the group as defined in /etc/default/security would be allowed to su to root.
lbdwag
Frequent Advisor

Re: enable accounts su'able

I have the "SU_ROOT_GROUP" parameter in the /etc/default/security set to a group that I created, since wheel was/is not defined on my system. My account is a member of this group, and I know the root password. Is there something else that I am missing/not understanding?
-- Don
Patrick Wallek
Honored Contributor

Re: enable accounts su'able

What exactly are you trying to do? What happens when you do it?

A copy/paste of the commands issued and errors received would be helpful.
lbdwag
Frequent Advisor

Re: enable accounts su'able

$ su
Password:
su: Sorry

$ su - root
Password:
su: Sorry



These work:

$ su - anotheruser
Password:
(c)Copyright 1983-2006 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsyst



$ su - myaccount
Password:
(c)Copyright 1983-2006 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsyst

-- Don
Bill Hassell
Honored Contributor

Re: enable accounts su'able

> $ su
> Password:
> su: Sorry

Looks like a bad password...su (unlike sudo) does not have a permission configuration (except in /etc/default/security if present). Can anyone else use su to login as root? Make sure that su is really su:

type su
su is /usr/bin/su
what /usr/bin/su
/usr/bin/su:
$Revision: @(#) su R11.11_BL2006_0308_2 PATCH_11.11 PHCO_34545

sudo is completely different and your ability to run a command as root is governed by the sudoers file. The system administrator controls the contents of the sudoers file.



Bill Hassell, sysadmin
lbdwag
Frequent Advisor

Re: enable accounts su'able

here is my output:

$ type su
su is /usr/bin/su
$ what /usr/bin/su
/usr/bin/su:
$Revision: B.11.31_LR


I have 2 accounts on this box, and neither can su.

For sudo, I guess we/you/whoevertheadminis just needs to create the sudoers file, since it is not on the system by default?
-- Don
Patrick Wallek
Honored Contributor

Re: enable accounts su'able

If you have installed sudo, then the sudoers file will be somewhere. Depending on the package it could be /etc/sudoers or /usr/local/etc/sudo/sudoers or /opt/iexpress/sudo/etc/sudoers.

If you do not have a sudoers file, then I would guess that sudo is not actually installed.

When you su above, you are using the password for 'root' there, correct?
lbdwag
Frequent Advisor

Re: enable accounts su'able

Yes I am using the root password.
-- Don
lbdwag
Frequent Advisor

Re: enable accounts su'able

Ok, the deal with this is/was the password. I changed it and su worked, then changed it back to the original password and it still worked.

We had issues with the root password when we installed the system and had to reset it in simple/single user mode. I guess if I really wanted to see if that is what caused the issue would be to go in and set it via that mode and see if it breaks SU...
-- Don
Patrick Wallek
Honored Contributor

Re: enable accounts su'able

When you set the password in single user mode (NOTE: There is no simple user mode) were there any special characters in your password? Was this done from the console?

If there were special characters, then they may have, unknown to you, interacted with the terminal and caused some unexpected behavior.

See the WARNINGS section of the passwd man page for characters to avoid in your passwords.
lbdwag
Frequent Advisor

Re: enable accounts su'able

yes there were special characters, and they were set over iLO, yet another possible issue.

Sometimes the simplest of issues can be so frustrating.
-- Don