[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems 'su'ing into the root user

Subject: Re: Problems 'su'ing into the root user
From: "Josh Wisenbaker" <email@hidden>
Date: Tue, 22 Aug 2006 09:43:31 -0400 (EDT)
Delivered-to: email@hidden
Delivered-to: email@hidden
Importance: Normal
User-agent: SquirrelMail/1.4.6-rc1

> On 2006-08-22 Simon Slavin wrote:
>> On 22 Aug 2006, at 3:49am, Nate Rudd wrote:
>>> I can no longer 'su' into the root user on the server or any client
>>> using ssh or sitting locally at the machines.  Terminal just
>>> responds by saying Sorry.  When I try it on the server I get the
>>> following errors from the system.log:
>>>
>>> Aug 22 11:21:11 ns su: pam_authenticate: Permission denied
>>> Aug 22 11:21:16 ns DirectoryService[55]: Failed Authentication
>>> return is being delayed due to over five recent auth failures for
>>> username: root.
>>>
>>> I am not sure why it says I have tried five times when I only tried
>>> once from the terminal.  Also I can log into the root user
>>> graphically no problem (server and clients) and this has helped
>>> work around the problem.  I have also found that I can gain root
>>> access by typing:
>>>
>>> sudo su root
>>
>> Argh.  That is a horrible combination.
>>
>> OS X has always worked better with 'sudo' than 'su'.  There are
>> security issues surrounding both applications, but 'sudo' is better
>> designed and more secure in the situations that you would find most
>> OS X computers set up for.  'sudoers' does its job properly under OS
>> X (or, at least, it did in the last version I examined).
>>
>> I normally recommend that OS X people never use 'su'.  You can use
>> 'sudo' for single instructions, 'sudo -s' for entire sessions with
>> different privs, and 'sudo -u' for non-root.  All three are more
>> secure, for a normal setup, than the equivalent 'su' would be.
>
> Huh? What difference exactly do you see between "sudo -s" and "sudo su"?
> Either one gives you a Shell with (E)UID 0.

I like sudo since it logs the commands. True that it if you switch the
shell with -s you don't get further logging, but at least you can see who
changed to a root shell.

Josh
www.afp548.com

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: Problems 'su'ing into the root user
  - From: Ansgar -59cobalt- Wiechers <email@hidden>

References:
	>Problems 'su'ing into the root user (From: Nate Rudd <email@hidden>)
	>Re: Problems 'su'ing into the root user (From: Simon Slavin <email@hidden>)
	>Re: Problems 'su'ing into the root user (From: Ansgar -59cobalt- Wiechers <email@hidden>)

Prev by Date: Re: Problems 'su'ing into the root user
Next by Date: Changing IPs on Xsan
Previous by thread: Re: Problems 'su'ing into the root user
Next by thread: Re: Problems 'su'ing into the root user
Index(es):
- Date
- Thread

Home