# Can't su. wheel ok, kernel ok, perms ok, [solved]

## Pergamon

Trying to su as a user 'myuser' who is in group wheel fails with

```
su: Authentication failure.

Sorry.
```

I did extensive search, but found no answer.

ls -l /bin/su:

```
-rws--x--x  1 root root 24380 Nov 16 13:59 /bin/su
```

/etc/group:

```
wheel::10:root,myuser

audio::18:myuser

games::35:myuser

users::100:games,myuser
```

/etc/passwd:

```
myuser:x:1000:100::/home/myuser:/bin/bash
```

The system is up-to-date ~x86 and the kernel (2.6.9)  contains PTYs:

```
CONFIG_SERIAL_CORE=y

CONFIG_UNIX98_PTYS=y

CONFIG_LEGACY_PTYS=y

CONFIG_LEGACY_PTY_COUNT=256
```

I followed the recommendation in Problems with PAM, and commented out DISPLAY, REMOTEHOST and XAUTHORITY in /etc/security/pam_env.conf.

/var/log/messages shows:

```
Nov 16 14:43:16 mycomp unix_chkpwd[28540]: check pass; user unknown

Nov 16 14:43:16 mycomp su(pam_unix)[28539]: authentication failure; logname=LOGIN uid=1000 euid=1000 tty=tty2 ruser=myuser rhost=  user=root

Nov 16 14:43:18 mycomp su[28539]: pam_authenticate: Authentication failure

```

I did re-emerge PAM PAM-LOGIN and SHADOW, no effect.

Any clues?Last edited by Pergamon on Wed Nov 17, 2004 7:15 pm; edited 3 times in total

----------

## timezone

What does your /etc/securetty look like?  

that file "...lists ttys from which root can log in."

Make sure you didnt miss this step: 

 *Quote:*   

> If you want root to be able to log on through the serial console, add tts/0 to /etc/securetty:
> 
> Code Listing 23: Adding tts/0 to /etc/securetty
> 
> # echo "tts/0" >> /etc/securetty

 

http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=8

----------

## pjp

/etc/securetty shouldn't affect su.  Logging in via console isn't the same as su.

----------

## Pergamon

 *Quote:*   

> What does your /etc/securetty look like?  
> 
> that file "...lists ttys from which root can log in."
> 
> Make sure you didnt miss this step: 
> ...

 

My /etc/securetty already contained this:

```

...

tts/0

ttyS0

```

This does not seem to be the problem...

----------

## pjp

Did this happen suddenly, or is this a new install, etc., etc.?  If it was working on an 'older' install, can you think of anything you've done recently?

 *Pergamon wrote:*   

> The system is up-to-date ~x86

 I'm wondering if using stable packages would make a difference.

----------

## Pergamon

This happened on a new install. I started to install Gentoo on my Laptop with XP as second OS on it. The install got interrupted some weeks ago (without ever booting into the installation) and yesterday I continued the installation restarting after phase 1 bootstrap. I did however quite some changes to USE flags during installation. This might have messed up things? Currently, I am doing an "emerge -e world" to make sure everything fits together. But I fear that the inability to 'su' is caused by some misconfigured configuration file and will not be solved by re-emerging.

----------

## Pergamon

Now I have completely rebuild my entire gentoo system - but the error remains. The user 'myuser' still cannot 'su'. If someone has suggestions how to further trace this down, that would be great!

----------

## pjp

Did you compile grsecurity into the kernel?

----------

## Pergamon

 *pjp wrote:*   

> Did you compile grsecurity into the kernel?

 

None of the security options is included in the kernel.

----------

## Pergamon

The root file system was mounted with options "users,exec" in fstab. This seems to be another way to break su  :Smile: 

```
/dev/hda1               /               ext3            users,exec         0 0
```

I just removed those options (which were introduced by copying an fstab auto-created by a knoppix boot cd) and: su works again!

```
/dev/hda1               /               ext3            noatime         0 0
```

Thanks everybody for the help along the way!

----------

