[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ksu

> Apologize for the short answer but I was in a hurry. There is no error
> message, ksu only prints "root's password:". Even it doesn't contact the
> KDC.

It behaves that way if you don't have a ~root/.k5login. Because in that 
case there is no idea to contact the KDC if no principals are allowed
to ksu -> it prompts for the local root password.

> I've added my principal into /root/.k5login and set set uid bit on ksu
> binary. Is it all?

.k5login owner and permissions? Confusion with /.k5login and /root/.k5login?

> wheel?

    /* if su:ing to root, check membership of group wheel or root; if
       that group doesn't exist, or is empty, allow anyone to su
       root */
    if(su->pw_uid == 0) {
#ifndef ROOT_GROUP
#define ROOT_GROUP "wheel"
        int gs = group_member_p(ROOT_GROUP, login->pw_name);
        if(gs == GROUP_NOT_MEMBER) {
            syslog (LOG_ERR | LOG_AUTH, "%s to %s: not in group %s",
                    login->pw_name, su->pw_name, ROOT_GROUP);
            return 1;
        return 0;

So if your group stuff is different from the expected, you get something in syslog.