I finally solved local my user inability to "su -". Here's a short summary that'll hopefully help anybody else running into this problem. There appear to be at least 2 files which can deny a user the ability to "su -" if you are running shadow, not pam. If you get blocked by either one of them, you're blocked; period; end of story.
The first file is /etc/login.defs, where I found the entry... SU_WHEEL_ONLY yes What do you *THINK* it means??? Unhhh, unhhh. Immediately above it are the comments... # # If "yes", the user must be listed as a member of the first gid 0 group # in /etc/group (called "root" on most Linux systems) to be able to "su" # to uid 0 accounts. If the group doesn't exist or is empty, no one # will be able to "su" to uid 0. # In other words, it does *NOT* apply to members of wheel, but rather to members of root (yes, there a *GROUP* called root). If this entry is set to yes, only members of "root" can "su -". I strongly recommend commenting it out. Then there's the "normal" /etc/suauth file which is where we expect the control to be, specifically... # # Anyone else may not su to root unless in # group wheel. This is how BSD does things. # root:ALL EXCEPT GROUP wheel:DENY If restriction is set in both files, then a user must be a member of *BOTH* root and wheel, in order to su -. I wouldn't want those of you using PAM to feel left out. In the standard /etc/pam.d/su file, there are the following remarks... # If you want to restrict users begin allowed to su even more, # create /etc/security/suauth.allow (or to that matter) that is only # writable by root, and add users that are allowed to su to that # file, one per line. -- Walter Dnes <[EMAIL PROTECTED]> An infinite number of monkeys pounding away on keyboards will eventually produce a report showing that Windows is more secure, and has a lower TCO, than linux. -- gentoo-user@gentoo.org mailing list
