[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems 'su'ing into the root user

Subject: Re: Problems 'su'ing into the root user
From: Ansgar -59cobalt- Wiechers <email@hidden>
Date: Tue, 22 Aug 2006 05:45:41 +0200
Delivered-to: email@hidden
Delivered-to: email@hidden
Mail-followup-to: MacOS X Server List <email@hidden>
User-agent: Mutt/1.2.5i

On 2006-08-22 Simon Slavin wrote:
> On 22 Aug 2006, at 3:49am, Nate Rudd wrote:
>> I can no longer 'su' into the root user on the server or any client  
>> using ssh or sitting locally at the machines.  Terminal just  
>> responds by saying Sorry.  When I try it on the server I get the  
>> following errors from the system.log:
>>
>> Aug 22 11:21:11 ns su: pam_authenticate: Permission denied
>> Aug 22 11:21:16 ns DirectoryService[55]: Failed Authentication  
>> return is being delayed due to over five recent auth failures for  
>> username: root.
>>
>> I am not sure why it says I have tried five times when I only tried  
>> once from the terminal.  Also I can log into the root user  
>> graphically no problem (server and clients) and this has helped  
>> work around the problem.  I have also found that I can gain root  
>> access by typing:
>>
>> sudo su root
> 
> Argh.  That is a horrible combination.
> 
> OS X has always worked better with 'sudo' than 'su'.  There are  
> security issues surrounding both applications, but 'sudo' is better  
> designed and more secure in the situations that you would find most  
> OS X computers set up for.  'sudoers' does its job properly under OS  
> X (or, at least, it did in the last version I examined).
> 
> I normally recommend that OS X people never use 'su'.  You can use  
> 'sudo' for single instructions, 'sudo -s' for entire sessions with  
> different privs, and 'sudo -u' for non-root.  All three are more  
> secure, for a normal setup, than the equivalent 'su' would be.

Huh? What difference exactly do you see between "sudo -s" and "sudo su"?
Either one gives you a Shell with (E)UID 0.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: Problems 'su'ing into the root user
  - From: JC Derr <email@hidden>
- Re: Problems 'su'ing into the root user
  - From: "Josh Wisenbaker" <email@hidden>

References:
	>Problems 'su'ing into the root user (From: Nate Rudd <email@hidden>)
	>Re: Problems 'su'ing into the root user (From: Simon Slavin <email@hidden>)

Prev by Date: Re: Problems 'su'ing into the root user
Next by Date: Re: Problems 'su'ing into the root user
Previous by thread: Re: Problems 'su'ing into the root user
Next by thread: Re: Problems 'su'ing into the root user
Index(es):
- Date
- Thread

Home