PDA

View Full Version : SU command won't work in Lion running 10.7.1




OngL
Sep 6, 2011, 11:58 AM
Hi All,

I have an iMac, 3 MBPs running Lion and Snow Leopard. In all of them, su command works just fine and of course I had no issues with them for many years.

I just bought a MBA 2011 and it came with Lion 10.7 which I updated to 10.7.1. The su command just simply refuses to work. It display 'su: sorry' as if I typed the wrong password.

1) I tried my own account password which is an administrator. Didn't work
2) Enable root account and set the password. Didn't work (I checked in my all other machine, don't need to enable root as the 'enable root' is still avaialable where as if it has been enabled only 'disable root' option will be displayed
3) Created another account (admin) also didn't work.

What did I miss here?



PeterHolbrook
Sep 6, 2011, 12:52 PM
What did I miss here?

From "man":

"The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed.

"PAM is used to set the policy su(1) will use. In particular, by default only users in the ``admin'' or ``wheel'' groups can switch to UID 0 (``root''). This group requirement may be changed by modifying the ``pam_group'' section of /etc/pam.d/su. See pam_group(8) for details on how to modify this setting."

Apparently, the default of "su" usage has been modified for Lion.

OngL
Sep 6, 2011, 01:40 PM
From "man":

"The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed.

"PAM is used to set the policy su(1) will use. In particular, by default only users in the ``admin'' or ``wheel'' groups can switch to UID 0 (``root''). This group requirement may be changed by modifying the ``pam_group'' section of /etc/pam.d/su. See pam_group(8) for details on how to modify this setting."

Apparently, the default of "su" usage has been modified for Lion.

On the logs:
2:36:25 AM su: BAD SU (username) to root on /dev/ttys000
2:36:25 AM su: in pam_sm_authenticate(): OpenDirectory - User record NULL

This is strange.... The existing system of Snow Leopard upgraded to Lion doesn't have this issue... I have two 2MBP on SL upgraded to Lion. So this applies only to fresh Lion?

PeterHolbrook
Sep 6, 2011, 01:49 PM
This is strange.... The existing system of Snow Leopard upgraded to Lion doesn't have this issue... I have two 2MBP on SL upgraded to Lion. So this applies only to fresh Lion?

My Lion was an upgrade, and I also have this issue. Actually, "su" behaves as if I was entering the wrong administrative password. I'm not sure right now how to fix the situation, except, perhaps, manually editing /etc/pam.d/su, which might be tricky, considering "su" doesn't work as expected. Anyone?

EDIT: I have just verified permissions. One of the oddities reported was "ACL found but not expected on 'private/var/root/'". It appears Disk Utility can't repair it.

EDIT2: The "ACL found..." is supposedly an innocuous one. In any case, it can be safely repaired using ACLr8 version 1.2.2 by nomulous (Google it).

EDIT3: It has just occurred to me: What is it you want to run, "su" or "sudo"? Sudo seems to work as usual.

lloygm64
Jan 6, 2012, 02:05 PM
EDIT3: It has just occurred to me: What is it you want to run, "su" or "sudo"? Sudo seems to work as usual.

I'm not the original poster, but I've discovered the exact same problem. SU doesn't always work as intended, or at least that's what it appears to me.

I'm using SU to pull a password out of a specific user's Keychain. I use the following:

su - greg -c "security find-generic-password -ga EncFS"

It returns the following:

keychain: "/Users/greg/Library/Keychains/login.keychain"
class: "genp"
attributes:
0x00000007 <blob>="EncFS"
0x00000008 <blob>=<NULL>
"acct"<blob>="EncFS"
"cdat"<timedate>=0x32303132303130353134343535395A00 "20120105144559Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>=<NULL>
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303132303130363139343231335A00 "20120106194213Z\000"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="EncFS"
"type"<uint32>=<NULL>
password:

Which is fine, but what I want is the password. As you can see the password is blank. I get "password: ", and nothing after it.

If I run that same command as the user, I get

keychain: "/Users/greg/Library/Keychains/login.keychain"
class: "genp"
attributes:
0x00000007 <blob>="EncFS"
0x00000008 <blob>=<NULL>
"acct"<blob>="EncFS"
"cdat"<timedate>=0x32303132303130353134343535395A00 "20120105144559Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>=<NULL>
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303132303130363139343231335A00 "20120106194213Z\000"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="EncFS"
"type"<uint32>=<NULL>
password: "password123"

You can see that it properly shows the password, password123, in quotes.

This worked in Snow Leopard, but now it doesn't work in Lion.

Any thoughts?

thundersteele
Jan 6, 2012, 02:53 PM
maybe this helps?
http://support.apple.com/kb/ht1528

MisterMe
Jan 6, 2012, 03:14 PM
The su command has not changed since 2006:

misterme-macbook-pro:~ misterme$ man su

SU(1) BSD General Commands Manual SU(1)

NAME
su -- substitute user identity

SYNOPSIS
su [-] [-flm] [login [args]]

DESCRIPTION
The su utility requests appropriate user credentials via PAM and switches
to that user ID (the default user is the superuser). A shell is then
executed.

PAM is used to set the policy su(1) will use. In particular, by default
only users in the ``admin'' or ``wheel'' groups can switch to UID 0
(``root''). This group requirement may be changed by modifying the
``pam_group'' section of /etc/pam.d/su. See pam_group(8) for details on
how to modify this setting.

By default, the environment is unmodified with the exception of USER,
HOME, and SHELL. HOME and SHELL are set to the target login's default
values. USER is set to the target login, unless the target login has a
user ID of 0, in which case it is unmodified. The invoked shell is the
one belonging to the target login. This is the traditional behavior of
su.

The options are as follows:

-f If the invoked shell is csh(1), this option prevents it from
reading the ``.cshrc'' file.

-l Simulate a full login. The environment is discarded except for
HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified
as above. USER is set to the target login. PATH is set to
``/bin:/usr/bin''. TERM is imported from your current environ-
ment. The invoked shell is the target login's, and su will
change directory to the target login's home directory.

- (no letter) The same as -l.

-m Leave the environment unmodified. The invoked shell is your
login shell, and no directory changes are made. As a security
precaution, if the target user's shell is a non-standard shell
(as defined by getusershell(3)) and the caller's real uid is non-
zero, su will fail.

The -l (or -) and -m options are mutually exclusive; the last one speci-
fied overrides any previous ones.

If the optional args are provided on the command line, they are passed to
the login shell of the target login. Note that all command line argu-
ments before the target login name are processed by su itself, everything
after the target login name gets passed to the login shell.

By default (unless the prompt is reset by a startup file) the super-user
prompt is set to ``#'' to remind one of its awesome power.

ENVIRONMENT
Environment variables used by su:

HOME Default home directory of real user ID unless modified as specified
above.

PATH Default search path of real user ID unless modified as specified
above.

TERM Provides terminal type which may be retained for the substituted
user ID.

USER The user ID is always the effective ID (the target user ID) after
an su unless the user ID is 0 (root).

FILES
/etc/pam.d/su PAM configuration for su.

EXAMPLES
su man -c catman
Runs the command catman as user man. You will be asked for man's
password unless your real UID is 0.
su man -c 'catman /usr/share/man /usr/local/man'
Same as above, but the target command consists of more than a sin-
gle word and hence is quoted for use with the -c option being
passed to the shell. (Most shells expect the argument to -c to be
a single word).
su -l foo
Simulate a login for user foo.
su - foo
Same as above.
su - Simulate a login for root.

SEE ALSO
csh(1), sh(1), group(5), passwd(5), environ(7), pam_group(8)

HISTORY
A su command appeared in Version 1 AT&T UNIX.

BSD September 13, 2006 BSD
(END)

I believe that the OP is confusing su with sudo.