Gentoo Archives: gentoo-hardened

From:	Chris PeBenito <pebenito@g.o>
To:	Peter Buettner <pb@××××××××××××.de>
Cc:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] su and newrole do not work from normal user account
Date:	Sat, 11 Sep 2004 15:54:50
Message-Id:	`1094918102.6513.75.camel@gorn.pebenito.net`
In Reply to:	Re: [gentoo-hardened] su and newrole do not work from normal user account by Peter Buettner

1	On Sat, 2004-09-11 at 07:59, Peter Buettner wrote:
2	> Last login: Fri Sep 10 13:59:22 2004 from thor.personalwlan.de
3	> sysop@access sysop $ id
4	> uid=1000(sysop) gid=100(users) groups=10(wheel),100(users) context=sysop:staff_r:staff_t
5	>
6	> sysop@access sysop $ su -
7	> Password:
8	> su: Authentication failure
9	> Sorry.
10	>
11	> sysop@access sysop $ newrole -r sysadm_r
12	> Authenticating sysop.
13	> Password:
14	> newrole: incorrect password for sysop
15
16	Two things. Only sysadm_r is allowed to su in the default Gentoo
17	policy. If you want others to su, you need to add su_domain(staff),
18	etc. In the above examples, you're in permissive since the user can
19	su. Therefore SELinux isn't shouldn't be denying any of that stuff, so
20	I'm guessing its a PAM problem.
21
22	--
23	Chris PeBenito
24	<pebenito@g.o>
25	Developer,
26	Hardened Gentoo Linux
27	Embedded Gentoo Linux
28
29	Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
30	Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

File name	MIME type
signature.asc	application/pgp-signature