Debian – su-to-root fails when root user locked

debianSecuritysu

How might I use script /usr/bin/su-to-root after I have intentionally locked the root account?

Running Debian GNU/Linux 6.0.5 "squeeze" and noticed menu item "System > Administration > Synaptic Package Manager" has default command:

su-to-root -X -c /usr/sbin/synaptic

which fails even though I provide the correct root password.

I have locked the root account (via command sudo passwd -l root) after granting my normal user sudo access via file /etc/sudoers.

Via the su-to-root man page, I tried modifying the command to use a specific user:

su-to-root -X -p "user" -c /usr/sbin/synaptic

but this did not seem to work.

In both cases, after three failed authentications, I receive message:

"Starting without administrative privileges. You will not be able to
apply any changes. But you can still export the marked changes or
create a download script for

Any ideas?

Traces of the script:

k@bucket:/tmp$ bash -x /tmp/su-to-root -X -c /usr/sbin/synaptic
+ test -r /etc/su-to-rootrc
+ test -r /home/k/.su-to-rootrc
+ PRIV=root
+ COMMAND=
+ NEEDS=text
++ which gettext
+ gettext=/usr/bin/gettext
+ for i in '"$@"'
+ case "$prev" in
+ prev=-X
+ for i in '"$@"'
+ case "$prev" in
+ NEEDS=X11
+ prev=-c
+ for i in '"$@"'
+ case "$prev" in
+ COMMAND=/usr/sbin/synaptic
+ prev=/usr/sbin/synaptic
+ '[' -z /usr/sbin/synaptic ']'
++ id -u
+ euid=1000
++ id -u root
+ privid=0
+ test 1000 = 0
+ case $NEEDS in
+ test -z ''
+ which gksu
+ SU_TO_ROOT_X=gksu
+ test X = Xtrue
+ case $SU_TO_ROOT_X in
+ gksu -u root /usr/sbin/synaptic
k@bucket:/tmp$

and

k@bucket:/tmp$ bash -x /tmp/su-to-root -X -p k -c /usr/sbin/synaptic
+ test -r /etc/su-to-rootrc
+ test -r /home/k/.su-to-rootrc
+ PRIV=root
+ COMMAND=
+ NEEDS=text
++ which gettext
+ gettext=/usr/bin/gettext
+ for i in '"$@"'
+ case "$prev" in
+ prev=-X
+ for i in '"$@"'
+ case "$prev" in
+ NEEDS=X11
+ prev=-p
+ for i in '"$@"'
+ case "$prev" in
+ PRIV=k
+ prev=k
+ for i in '"$@"'
+ case "$prev" in
+ prev=-c
+ for i in '"$@"'
+ case "$prev" in
+ COMMAND=/usr/sbin/synaptic
+ prev=/usr/sbin/synaptic
+ '[' -z /usr/sbin/synaptic ']'
++ id -u
+ euid=1000
++ id -u k
+ privid=1000
+ test 1000 = 1000
+ sh -c /usr/sbin/synaptic
k@bucket:/tmp$

Best Answer

Create a file named '~/.su-to-rootrc' with contents 'SU_TO_ROOT_SU="sudo"'.

Example:

echo 'SU_TO_ROOT_SU="sudo"'>~/.su-to-rootrc

Or create it system wide at /etc. su-to-root without this rc file always tries su, which does not work with blocked root accout. If you create the rc file, it uses sudo instead and everything is fine.

Related Solutions

Debian Kernel Module Error – Cannot Create ‘Hello World’ Module with NVIDIA and VirtualBox

SOLVED!

Simple as that: /root/.bashrc had this inside:

 export GREP_OPTIONS='--color=always'

Changed it to:

 export GREP_OPTIONS='--color=never'

...and restarted the root shell (of course; do not omit this step). Everything started working again. Both NVIDIA and VirtualBox kernel modules built from the first try. I am so happy! :-)

Then again though, I am slighly disappointed by the kernel build tools. They should know better and pass --color=never everywhere they use grep; or rather, store the old value of GREP_OPTIONS, override it for the lifetime of the building process, then restore it.

I am hopeful that my epic one-week battle with this problem will prove valuable both to the community and the kernel build tools developers.

A very warm thanks to the people who were with me and tried to help.

(All credits go here: http://forums.gentoo.org/viewtopic-p-4156366.html#4156366)

How to find out out WHEN an user account was locked

Currently, yes and no. The security system itself doesn't log historic details of password changes. Since it's a flat file it would be hard for such a record to be accurate and trustworthy, if access to the databases had to exclusive go through some kind of a broker then it would be possible (you could just add the logic to the broker), but with widely accessible flat files, not so much. This is why a lot of LDAP/Kerberos identity services allow this type of auditing but local unix users have a hard time with it.

The closest you can get is to enable operating system audit logging, log all command executions (with command line options) and watch the /etc/passwd and /etc/shadow files. If you can trace the change to being in a certain time period search for in the OS audit records, you might be able to trace it back to a "passwd -l" invocation or someone manually editing /etc/shadow or /etc/passwd (in case of unshadowed password).

EDIT:

To clarify, the default passwd utility on some versions of traditional UNIX (Like Solaris 9, I'm seeing) will syslog the "passwd -l" but I assumed we were on Linux given the GNU version of passwd and that that's still insufficiently complete to be trustworthy.

Best Answer

Related Solutions

Debian Kernel Module Error – Cannot Create ‘Hello World’ Module with NVIDIA and VirtualBox

How to find out out WHEN an user account was locked

Related Question