su / shadow & /etc/suauth

Dan Nicholson dbn.lists at gmail.com
Wed Jan 3 17:13:29 PST 2007


On 1/2/07, Julien Lecomte <julien at famille-lecomte.net> wrote:
>
> I can't get 'su' and '/etc/suauth' to work correctly on my 6.2 LFS
> system. My system is up and running correctly apart from this minor problem.
>
> When I 'su', it doesn't seem that '/etc/suauth' is used. For example, my
> /etc/suauth (root:root, 600) only contains
> root:ALL EXCEPT GROUP wheel:DENY

I've never tried using suauth, but I just looked at the source, and it
is only enabled if you're using PAM. BLFS has support for building
shadow against PAM and/or cracklib. Read the warnings, though. You
don't want to get into a situation where you can't log in to your
system.

http://www.linuxfromscratch.org/blfs/view/svn/postlfs/shadow.html

> As a user, I can su to root (or any other account), which actually
> should be denied. BTW, if I su and enter a wrong password, there is no
> delay before being returned to the shell prompt, that is, FAIL_DELAY
> from /etc/login.defs doesn't seem to be used.

Could be wrong, but I also think that FAIL_DELAY is only honored if
shadow is built against PAM. I know I have shadow linked against PAM
and FAIL_DELAY is honored. Shadow is a bit of a mess in some spots to
tell what functionality corresponds to what library.

--
Dan



More information about the lfs-support mailing list