# su without password[solved]

## Adel Ahmed

I'm installing gentoo on a new machine, I'm using systemd:

[ebuild   R    ] sys-libs/pam-1.2.1::gentoo  USE="-audit -berkdb -cracklib -debug -nis -nls -pie (-selinux) {-test} -vim-syntax" ABI_X86="(64) -32 (-x32)" 1,729 KiB

[ebuild   R    ] sys-apps/systemd-226-r2:0/2::gentoo  USE="kdbus kmod pam policykit -acl (-apparmor) -audit -cryptsetup -curl -elfutils -gcrypt -gnuefi -http -idn -importd -lz4 -lzma -nat -qrcode -seccomp (-selinux) -ssl -sysv-utils {-test} -vanilla -xkb" ABI_X86="32 (64) (-x32)" 3,823 KiB

and I added the following line to pam.d/su(the bold line):

auth       sufficient   pam_rootok.so

#auth       required     pam_wheel.so use_uid

auth       include              system-auth

account    include              system-auth

password   include              system-auth

session    include              system-auth

session    required     pam_env.so

session    optional             pam_xauth.so

auth sufficient pam_wheel.so use_uid trust

this is the same as my other laptop(except pam.d has only that 1 line, which I had tried with no luck) as I keep getting prompted for the root password

thanksLast edited by Adel Ahmed on Sun Jun 05, 2016 6:59 pm; edited 1 time in total

----------

## Syl20

AFAIK, pam_rootok authorizes su without password from root to another user, not the opposite.

You can do the opposite by two ways :

1/ add this in /etc/pam.d/su (below the pam_rootok line) :

```
auth       sufficient   pam_succeed_if.so use_uid user = your_user
```

2/ use sudo.

----------

## Adel Ahmed

I don't want to use sudo 

unfortunately adding that line did not work, I see nothing in journalctl except for:

Jun 03 18:59:48 g50-80 su[17604]: Successful su for root by adel

Jun 03 18:59:48 g50-80 su[17604]: + /dev/pts/7 adel:root

----------

## Syl20

That's strange. Did you add the line just below the pam_rootok line, i.e. above the include line ?

If so, pam_succeed_if has a debug option :

```
auth       sufficient   pam_succeed_if.so debug use_uid user = adel
```

You can try to use the pam_wheel module instead. Add your user to the wheel group, and this to /etc/pam.d/su (again, just below the pam_rootok line) :

```
auth sufficient pam_wheel.so trust use_uid 
```

----------

## Adel Ahmed

strange indeed

auth       sufficient   pam_rootok.so

auth sufficient pam_wheel.so trust use_uid

#auth       sufficient   pam_succeed_if.so debug use_uid user = adel

#auth       required     pam_wheel.so use_uid

auth       include              system-auth

account    include              system-auth

password   include              system-auth

session    include              system-auth

session    required     pam_env.so

session    optional             pam_xauth.so

auth sufficient pam_wheel.so use_uid trust

I've tried both and I get nothing, thing is the wheel bit is working on another machine, what are the chances things are not working because of a missing use flag or anything machine specific(apart from configuration)?

----------

## Adel Ahmed

figured the problem out,the shadow package was installed without the pam flag

----------

