On 30/12/99 matt garman wrote:
I just installed potato via the floppy+ftp method. For some odd reason, I cannot "su" to root as a normal user, it always says I have the wrong password. But I can switch to a different virtual terminal and login as root with the same password, no problem. Also, as a user I tried to change my shell with "chsh" and when it behaves the same as su, i.e. it always says wrong password for my username. I can login with this password just fine, though. I tried both commands several times slowly, so I cannot be typing two different passwords incorrectly.
I just reinstalled a potato system 3 days ago using the 2.2.3 potato boot floppies and the base system was installed with massively wrong permissions:
1) there were NO suid/sgid binaries, including chsh, chfn, login, passwd, su et al this means ONLY root may login to the virtual consoles, any other uids will fail. this also means su chsh, chfn et al will not work. nothing pam related will work since /sbin/unix_chkpwd is not suid.
2) any file or directory that has a symlink associated with it has permissions of 777 this includes much of the libc, /sbin/init /usr/sbin/adduser, and many many many more. also most of /usr/share/doc had mode 777.
3) most of /dev/* has wrong owners/permissions, i just rm -rf ed it and grabbed a properly extracted version from base2_2.tgz
unfortunately i did not notice this massive mess till after i installed the rest of the system so i had to do many finds (for all the mode 777 stuff) and general looking around to fix the huge security hole, for the suid/sgid i extracted a copy of the base system into a temporary directory with tar -zxvpf and did finds for all suid/sgid and set the modes manually (there are not to many in the base system) I also has to take the /dev/ directory from manually extracted base and replace the screwed up version that i had. i also used the base as a reference for what the right permissions were for the 777 stuff as well as owners/groups.
now hopefully this is not what happened to you and you can check to see if /etc/pam.d/ has the right files for chsh and chfn and su...
you should also scan for users and groups that are not root in all the /lib and /usr hierarchies, there have been a few packages installing all their files under uid 1000 and such, some do not have owners at all (uid 4000ish)
-- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/