On 30/12/99 matt garman wrote:
I just installed potato via the floppy+ftp method.
For some odd reason, I cannot "su" to root as a normal user, it
always says I have the wrong password. But I can switch to a
different virtual terminal and login as root with the same password,
no problem.
Also, as a user I tried to change my shell with "chsh" and when
it behaves the same as su, i.e. it always says wrong password for
my username. I can login with this password just fine, though.
I tried both commands several times slowly, so I cannot be typing
two different passwords incorrectly.
I just reinstalled a potato system 3 days ago using the 2.2.3 potato
boot floppies and the base system was installed with massively wrong
permissions:
1) there were NO suid/sgid binaries, including chsh, chfn, login,
passwd, su et al this means ONLY root may login to the virtual
consoles, any other uids will fail. this also means su chsh, chfn et
al will not work. nothing pam related will work since
/sbin/unix_chkpwd is not suid.
2) any file or directory that has a symlink associated with it has
permissions of 777 this includes much of the libc, /sbin/init
/usr/sbin/adduser, and many many many more. also most of
/usr/share/doc had mode 777.
3) most of /dev/* has wrong owners/permissions, i just rm -rf ed it
and grabbed a properly extracted version from base2_2.tgz
unfortunately i did not notice this massive mess till after i
installed the rest of the system so i had to do many finds (for all
the mode 777 stuff) and general looking around to fix the huge
security hole, for the suid/sgid i extracted a copy of the base
system into a temporary directory with tar -zxvpf and did finds for
all suid/sgid and set the modes manually (there are not to many in
the base system) I also has to take the /dev/ directory from manually
extracted base and replace the screwed up version that i had. i also
used the base as a reference for what the right permissions were for
the 777 stuff as well as owners/groups.
now hopefully this is not what happened to you and you can check to
see if /etc/pam.d/ has the right files for chsh and chfn and su...
you should also scan for users and groups that are not root in all
the /lib and /usr hierarchies, there have been a few packages
installing all their files under uid 1000 and such, some do not have
owners at all (uid 4000ish)
--
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/