Tag Archives: su

Su command error Su: permission denied [How to Solve]

The Su command reports an error Su: permission denied , whether it is an Su ordinary user or root , this error will be reported. It can be determined that the password is correct, because SSH can log in normally, and root User Su other users are normal.

[user01@my-linux ~]$ su -
Password: 
su: Permission denied

Compared with normal hosts, Su commands have normal permissions and s permissions.

[user01@my-linux ~]$ ll /usr/bin/su
-rwsr-xr-x 1 root root 32128 Oct 1 2020 /usr/bin/su

In fact, the first thing you should think of when you eliminate the problems of password error, password expiration and user locking is the PAM module. PAM (pluggable authentication modules) is responsible for the login authentication of many applications in the system, including sshd , vsftpd , Su , etc. For example, SSH login authentication configuration file is /etc/PAM. D/sshd users can configure corresponding authentication rules as needed. You can also configure PAM authentication for your other applications.

View PAM authentication configuration for Su 

[root@my-linux ~]# cd /etc/pam.d
[root@my-linux pam.d]# cat su
#%PAM-1.0
auth            sufficient      pam_rootok.so

# Uncomment the following line to implicitly trust users in the "wheel" group.

auth            sufficient      pam_wheel.so trust use_uid

# Uncomment the following line to require a user to be in the "wheel" group.

auth           required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so

Solution:

Su’s PAM configuration file contains auth required PAM_ wheel.so use_ Uid according to the instructions in the previous sentence, to use the Su command, the user must be in the wheel user group, while my ordinary user is not in the wheel user group. There are two ways to solve this problem. One is to comment the line, and the other is to add ordinary users to the wheel group.

Solution of Su command cannot set groups: operation not permitted

A super detailed tutorial: springboot integrates mybatis plus>>>

Copyright notice: This article was originally written by Zeng Qianqian. Please indicate the source for Reprint:
link to the original article: https://www.qcloud.com/community/article/103

Source: Tengyun Pavilion https://www.qcloud.com/community

Problem scenario:

user_00@hadoop-10-125-224-102:> su root
Password: 
su: cannot set groups: Operation not permitted

1.35266;- 23519;h2>

(1) 30475;/bin/su

user_00@hadoop-10-125-224-102:> ll /bin/su
-rwxr-xr-x 1 user_00 users 37880 May  3  2007 /bin/su

(2) Compare the /bin/Su files in springboard machine that can use Su command normally

user_00@Tencent64:~> ll /bin/su
-rwsr-xr-x 1 root root 37880 Jul 14  2014 /bin/su

2. Compare the differences

3. Analysis:

In

- rwsr-xr-x , s means setuid , which enables the file to be executed with the permission of the owner of the file, rather than the permission of the user executing the command

/bin the file belonging to the root group is changed to another group, which leads to an error. (PS: it’s a stupid error, you can’t do this)

4. Solution:

change file owner:

hadoop-10-125-224-102:~ # chown -R root:root /bin/su 
==>  -rwxr-xr-x 1 root root 37880 May  3  2007 /bin/su

set file properties

hadoop-10-125-224-102:~ # chmod u+s /bin/su
==>  -rwsr-xr-x 1 root root 37880 May  3  2007 /bin/su

5. Knowledge points of brain tonic

Permission status: - rwsr-xr-x , which is called set uid, or suid for short. So the special role of this special authority

suid permission is only valid for binary program

the executor needs to have X executable permission for the program

this permission is only valid in the process of executing the program (run-time)

The

executor will have the authority of the owner of the program

Similar permissions “sgid, sbit”, you can search the relevant information of “Linux special permissions”