1834191 Members
2754 Online
110064 Solutions
New Discussion

su not working

 
SOLVED
Go to solution
Martin Wells
Frequent Advisor

su not working

We have a L-Class server running HPUX11. Today if anyone tries o su to another user we get the error
pam_start: Check /etc/pam.conf
su: Sorry
Looking at pam.conf its set to 777 but has not been updated since install so I'm not sure why this would stop working. Also if the permissions are wrong hw can I change it if I can't get on the servers as root
8 REPLIES 8
Chris Wilshaw
Honored Contributor
Solution

Re: su not working

As a global config file, pam.conf should not be world writable.

As a default, it should be set to 444 (read only)

You also need to check the permissions on /usr/bin/su

This should be 4555, owned by root (setuid enabled with read/execute for all users).

If you can't su to root, your best options are;

1) log in directly as root
2) rlogin as root from a server with suitable host equivalency
3) boot server into single user mode.
Elmar P. Kolkman
Honored Contributor

Re: su not working

And remember that sometimes loging in as root is only allowed from the console...
Every problem has at least one solution. Only some solutions are harder to find.
john korterman
Honored Contributor

Re: su not working

Hi,
the problem could be that the owner/group relationship for the file-inode has been changed by someone; check by "ls -lc /etc/pam.conf". An inode change will not be reflected in a "ls -l".
I know it is an idiotic suggestion if you cannot even log on. And it is only a guess, but judging from the permissions, it could be the problem. However, I do not even dare suggest what is correct, as I have checked the user/group relationship on three different servers for /etc/pam.conf here and they are not even the same.


regards,
John K.
it would be nice if you always got a second chance
Martin Wells
Frequent Advisor

Re: su not working

It does look like a permission problem, from talking to one of our application guys turns out he has run a chmod command from / and changed every file on the system to 777!!

Our last good backup if from two nights ago so I don't really want to have to restore the whole system. Does anyone have/know of a script that can take an input file and change all af the permissions back??
john korterman
Honored Contributor

Re: su not working

Hi again Martin,
I have heard about scripts that can do this for vg00, but hardly for the applications. And even if you go for the script solution, you should be aware that you may not see all problems deriving from this ..eh situation immediately.
I would go for the backup.

regards,
John K.

it would be nice if you always got a second chance
Martin Wells
Frequent Advisor

Re: su not working

Thanks John,

Our backup write a listing to a file, someone else has written a perl script that will use this file and reset the permissions as they were so I might give it ago,
regards
john korterman
Honored Contributor

Re: su not working

Hi again,
that sounds better. But what will you do to the application guy?

regards,
John K.
it would be nice if you always got a second chance
Chris Wilshaw
Honored Contributor

Re: su not working

You could try the following - if you have a working server with the same software installed.

***IMPORTANT*** I would advise testing this on an unimportant directory on the server prior to a full run if at all possible. All I can say is it can't really make things any worse.

On the WORKING server;

find / -type f -exec ll {} \; | awk '{print substr($0,2,3)":"substr($0,5,3)":"substr($0,8,3)":"$NF}' | sed -e s/"\-"//g > /tmp/perm_list.txt

This will generate a list of permissions (separated into owner, group and other by a colon), and files eg

rwx:rx:rx:./test/getuser
rw:r::./test/bits/dept
rwx:rwx:rwx:./test/bits/test
rwx:rx::./test/bits/checker
rw:r::./test/bits/1
rw:r::./test/bits/1.c
rw:r::./test/non_patrol
rw:r::./test/sys.lst
rw:r::./test/local.lst
rw:rw:rw:./test/local_ser

This can then be copied to the AFFECTED server.

You can then try the following to set the permissions. *** ENSURE THAT YOU ARE ON THE AFFECTED SERVER ***

for LINE in `cat perm_list.txt`
do
USER=`echo $LINE | awk -F: '{print $1}'`
GROUP=`echo $LINE | awk -F: '{print $2}'`
OTHER=`echo $LINE | awk -F: '{print $3}'`
FILE=`echo $LINE | awk -F: '{print $4}'`
echo "setting file permissions to $USER$GROUP$OTHER for $FILE"
chmod u=$USER,g=$GROUP,o=$OTHER $FILE
done

What this is doing, is taking each line from the list on the working server, and setting the same permissions to the files on the affected server (if they exist).

Hopefully, this will address most of the problems, but if it doesn't work, you will have to look to a full restore.

It may be worth waiting to see if anyone else has comments on this approach before trying it.

Good luck.