# Does su read /etc/suauth under gentoo?

## Wes

I have no trouble doing an "su root", but when I tried to change things around by creating an /etc/suauth file, it made no difference to the behavior of su.  In particular, I'm still challenged for a password even when (for user "foo") I put this line in /etc/suauth:

       root:foo:NOPASS

Even doing this made no difference to anything.

       root:foo:DENY

It looks as if, contrary to the man page, su does not check /etc/suath.

Does anybody know anything about this?  Does gentoo, perhaps, compile su in a way that blocks the behavior described in the man page for suauth?

Thanks in advance for any info.

Wes

----------

## klieber

suauth was one thing we couldn't get working on the forums server.  Just a SWAG, but have you tried placing the suauth file in either /etc/su/suauth or /etc/suauth/suauth?  Most of the other daemons have their config files stored within a subdir in /etc, so maybe that's what Gentoo is looking for.  (again, that's a SWAG, so don't expect wonders  :Smile: )

Either way, I'd file a bug report on it (after first checking to see if one has already been filed)

--kurt

----------

## Wes

Ok, I tried creating subdirectories - /etc/su/, /etc/suauth/, /etc/su.d/ - and putting suauth there.  It didn't work.  As far as I can see, this su simply doesn't read suauth.  Maybe that behavior is switched off.

Thanks for the suggestion!

----------

## trippeh

It's controlled through PAM, not suauth.

----------

## Wes

Thanks for the info.  So the answer is no, and I need to look into PAM instead.  

I've always found PAM rather intimidating.  Would you happen to know off what the "su" file in /etc/pam.d should look like if I want a certain user to be able to su to root without entering a password?

----------

## Nitro

I did some research, and if you compile the shadow package (the package that supplies su and everything for /etc/passwd and /etc/group) with pam, you don't get suauth.  I could hack the configure script and change that, but the developers did it for a reason.

Anywho, the solution is in PAM as many of you have already determined.  The following works for me, and works as expected.  I tested all exceptions I could think of, but then again it is 1:00 in the morning and I might have overlooked something.

And here it is:Edit /etc/pam.d/su, after 

```
auth       sufficient   /lib/security/pam_rootok.so
```

 add 

```
auth       sufficient   /lib/security/pam_listfile.so item=ruser \

                        onerr=fail sense=allow file=/etc/security/su-nopass 
```

Create a /etc/security/su-nopass file, and it put one username per line.  Only put users that you want to have access to root without a password.

Double check the permissions on the file, we don't want it world writable, and world readable is a matter of personal preference.

Basically, the above says that any user in the su-nopass file is allowed to su without entering a password.

You could move the pam_wheel module before the pam_listfile line to require the user to belong to the wheel group.   Again, this is personal prefernce based on security needs.

Hope it works, tell me what you think.  Tell me if there are any flaws.

----------

## Wes

Thanks so much.  It worked perfectly, and exactly as advertised!

----------

## WladyX

Thanks very much, helped me also  :Very Happy: 

----------

