RE: Granting su rights to users? Using PAM and Kerberos...
From: Daniel B. Thurman (dant_at_cdkkt.com)
Date: 11/22/05
- Previous message: Robin Laing: "Re: OpenOffice crashing randomly"
- Maybe in reply to: Daniel B. Thurman: "RE: Granting su rights to users? Using PAM and Kerberos..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 22 Nov 2005 07:26:22 -0800 To: "For users of Fedora Core releases" <fedora-list@redhat.com>
>-----Original Message-----
>From: fedora-list-bounces@redhat.com
>[mailto:fedora-list-bounces@redhat.com]On Behalf Of Craig White
>Sent: Monday, November 21, 2005 7:15 PM
>To: For users of Fedora Core releases
>Subject: RE: Granting su rights to users? Using PAM and Kerberos...
>
>
>On Mon, 2005-11-21 at 17:47 -0800, Daniel B. Thurman wrote:
>
>>
>> I have used the gui-based authtenication tool with then
>> authenication tab and selected everything but the Winbind
>> support and now when I try to su root as a normal user,
>> I get the message:
>>
>> # su: cannot set groups: No such file or directory
>>
>> In the /var/log/message file, it says:
>>
>> Nov 21 17:05:48 linux su(pam_unix)[5728]: authentication
>failure; logname= uid=500 euid=500 tty=pts/4 ruser=dant rhost=
> user=root
>> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]:
>authentication succeeds for 'root' (root@CDKKT.COM)
>> Nov 21 17:05:48 linux su(pam_unix)[5728]: ERROR 0:Success
>> Nov 21 17:05:48 linux su(pam_unix)[5728]: session opened for
>user root by (uid=500)
>> Nov 21 17:05:48 linux su[5728]: Warning! Could not relabel
>/dev/pts/4 with root:object_r:devpts_t, not
>relabeling.Operation not permitted
>> Nov 21 17:05:48 linux su(pam_unix)[5735]: session closed for
>user root
>> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error
>removing ccache file '/tmp/krb5cc_0_RNoyDV'
>> Nov 21 17:05:48 linux su(pam_unix)[5728]: session closed for
>user root
>> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error
>removing ccache file '/tmp/krb5cc_0_RNoyDV'
>>
>> So, it appears that PAM is somehow preventing normal users
>to su as root, kerberos claims
>> that the password is valid, and SElinux is saying that it
>does not allow su to relabel
>> tje /dev/pts/4 tty and finally su is not allowed to delete
>the cache file.
>>
>> Geez... what the heck is going on???
>>
>> HELP PLEASE?
>----
>I am beginner at selinux - Paul H is very together on it...
>
>selinux targeted?
>
># grep SELINUX /etc/selinux/config
># SELINUX= can take one of these three values:
>SELINUX=Enforcing
># SELINUXTYPE= type of policy in use. Possible values are:
>SELINUXTYPE=targeted
>
>if so - then...
>yum install selinux-policy-targeted-sources
>
>then according to...
>http://cvs.sourceforge.net/viewcvs.py/*checkout*/selinux/nsa/selinux-
>usr/policycoreutils/audit2allow/audit2allow.1
>
>$ cd /etc/selinux/$(SELINUXTYPE)/src/policy
>$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >>
>domains/misc/local.te
># <review domains/misc/local.te and customize as desired>
>$ make load
>
>Craig
>
>
Problem solved! A respondent told be to check the permissions
for the /bin/su and it turned out that it was in mode 755 and
should have been in mode 4755.
This means that my /bin and /sbin is hosed (by me) and I will need
to find out how to restore the permissions and ownership of these
files in these directories. Gah.
I will review the selinux stuff tho and learn how to use it. I
have problems with getting httpd and samba to work under selinux
as I have currently disabled selinux for these programs so far.
Kind regards,
Dan
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.5/177 - Release Date: 11/21/2005 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Robin Laing: "Re: OpenOffice crashing randomly"
- Maybe in reply to: Daniel B. Thurman: "RE: Granting su rights to users? Using PAM and Kerberos..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
