SU command won't work in Lion running 10.7.1

Discussion in 'Mac OS X Lion (10.7)' started by OngL, Sep 6, 2011.

  1. macrumors member

    Joined:
    Feb 17, 2009
    #1
    Hi All,

    I have an iMac, 3 MBPs running Lion and Snow Leopard. In all of them, su command works just fine and of course I had no issues with them for many years.

    I just bought a MBA 2011 and it came with Lion 10.7 which I updated to 10.7.1. The su command just simply refuses to work. It display 'su: sorry' as if I typed the wrong password.

    1) I tried my own account password which is an administrator. Didn't work
    2) Enable root account and set the password. Didn't work (I checked in my all other machine, don't need to enable root as the 'enable root' is still avaialable where as if it has been enabled only 'disable root' option will be displayed
    3) Created another account (admin) also didn't work.

    What did I miss here?
     
  2. macrumors 6502a

    Joined:
    Sep 23, 2009
    #2
    From "man":

    "The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed.

    "PAM is used to set the policy su(1) will use. In particular, by default only users in the ``admin'' or ``wheel'' groups can switch to UID 0 (``root''). This group requirement may be changed by modifying the ``pam_group'' section of /etc/pam.d/su. See pam_group(8) for details on how to modify this setting."

    Apparently, the default of "su" usage has been modified for Lion.
     
  3. thread starter macrumors member

    Joined:
    Feb 17, 2009
    #3
    On the logs:
    2:36:25 AM su: BAD SU (username) to root on /dev/ttys000
    2:36:25 AM su: in pam_sm_authenticate(): OpenDirectory - User record NULL

    This is strange.... The existing system of Snow Leopard upgraded to Lion doesn't have this issue... I have two 2MBP on SL upgraded to Lion. So this applies only to fresh Lion?
     
  4. PeterHolbrook, Sep 6, 2011
    Last edited: Sep 6, 2011

    macrumors 6502a

    Joined:
    Sep 23, 2009
    #4
    My Lion was an upgrade, and I also have this issue. Actually, "su" behaves as if I was entering the wrong administrative password. I'm not sure right now how to fix the situation, except, perhaps, manually editing /etc/pam.d/su, which might be tricky, considering "su" doesn't work as expected. Anyone?

    EDIT: I have just verified permissions. One of the oddities reported was "ACL found but not expected on 'private/var/root/'". It appears Disk Utility can't repair it.

    EDIT2: The "ACL found..." is supposedly an innocuous one. In any case, it can be safely repaired using ACLr8 version 1.2.2 by nomulous (Google it).

    EDIT3: It has just occurred to me: What is it you want to run, "su" or "sudo"? Sudo seems to work as usual.
     
  5. macrumors newbie

    Joined:
    Jan 6, 2012
    #5
    Doesn't work for me, either

    I'm not the original poster, but I've discovered the exact same problem. SU doesn't always work as intended, or at least that's what it appears to me.

    I'm using SU to pull a password out of a specific user's Keychain. I use the following:

    su - greg -c "security find-generic-password -ga EncFS"

    It returns the following:

    keychain: "/Users/greg/Library/Keychains/login.keychain"
    class: "genp"
    attributes:
    0x00000007 <blob>="EncFS"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="EncFS"
    "cdat"<timedate>=0x32303132303130353134343535395A00 "20120105144559Z\000"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>=<NULL>
    "gena"<blob>=<NULL>
    "icmt"<blob>=<NULL>
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303132303130363139343231335A00 "20120106194213Z\000"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="EncFS"
    "type"<uint32>=<NULL>
    password:

    Which is fine, but what I want is the password. As you can see the password is blank. I get "password: ", and nothing after it.

    If I run that same command as the user, I get

    keychain: "/Users/greg/Library/Keychains/login.keychain"
    class: "genp"
    attributes:
    0x00000007 <blob>="EncFS"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="EncFS"
    "cdat"<timedate>=0x32303132303130353134343535395A00 "20120105144559Z\000"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>=<NULL>
    "gena"<blob>=<NULL>
    "icmt"<blob>=<NULL>
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303132303130363139343231335A00 "20120106194213Z\000"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="EncFS"
    "type"<uint32>=<NULL>
    password: "password123"

    You can see that it properly shows the password, password123, in quotes.

    This worked in Snow Leopard, but now it doesn't work in Lion.

    Any thoughts?
     
  6. macrumors 68030

    Joined:
    Oct 19, 2011
    Location:
    Switzerland
  7. macrumors G4

    Joined:
    Jul 17, 2002
    Location:
    USA
    #7
    The su command has not changed since 2006:

    I believe that the OP is confusing su with sudo.
     

Share This Page