Subject: bin/29891: su(1) does not seem to honor SU_ROOTAUTH any more
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <arto@selonen.org>
List: netbsd-bugs
Date: 04/05/2005 09:35:00
>Number:         29891
>Category:       bin
>Synopsis:       su(1) does not seem to honor SU_ROOTAUTH any more
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 05 09:35:00 +0000 2005
>Originator:     Arto Selonen
>Release:        NetBSD-current 3.99.3 ~20050404
>Organization:
>Environment:
NetBSD blah 3.99.3 NetBSD 3.99.3 (BLAH) #0: Mon Apr  4 14:25:52 EEST 2005  blah@blah:/obj/sys/arch/i386/compile/BLAH i386

>Description:
I've used pkgsrc/sysutils/sux with SU_ROOTAUTH set to 'rootauth'
in /etc/mk.conf. This has worked well, even with PAM (uncommenting
one line in /etc/pam.d/su).

When upgrading a current from ~20050204 using whatever sources
anoncvs us2 mirror gave on 20050404, I am no longer able to use
su unless I belong to 'wheel' group (never needed that before).

% id
uid=520(blah) gid=520(blah) groups=520(blah),50000(rootauth)

% sux
su: You are not listed in the correct secondary group (wheel) to su root.
su: Sorry: authentication error
Exit 1

% su
su: You are not listed in the correct secondary group (wheel) to su root.
su: Sorry: authentication error
Exit 1

% fgrep SU_ /etc/mk.conf 
SU_ROOTAUTH=            rootauth

man page is not clear whether one would need to *also* set SU_GROUP,
but previously it was not necessary. Since this can lock people out
from remotely administered systems, I'm filing it as serious/medium.

I have not tested setting SU_GROUP (and don't intend to). As a workaround one could go to 'wheel'.

I noted a thread 'su and PAM' in current-users on March, 2005 which
had somewhat similar symptoms. In that thread the problem disappeared
after rebuilding from scratch, so I tried that too. Removing all object
directories + $DESTDIR and rebuilding still produces the 'wheeling' su.

Here is what a similar setup on 2.99.15 gives me:

% uname -mr
2.99.15 i386

% id
uid=520(blah) gid=520(blah) groups=520(blah),50000(rootauth)

% fgrep SU_ /etc/mk.conf 
SU_ROOTAUTH=            rootauth

% sux
Password:
# 

I happened to have one 2.99.16 system from ~20050307, and there
su/sux does not work any longer, but requires 'wheel'. So, the change
was done some time between 20050204 and 20050307.

>How-To-Repeat:
1) Stock -current
2) set SU_ROOTAUTH=somename in /etc/mk.conf
3) create group 'somename' with a member in it
4) upgrade -current
5) install pkgsrc/sysutils/sux
6) note that account belonging to 'somename' group can not use su/sux

>Fix: