参见链接 http://unix.stackexchange.com/questions/116529/i-cant-login-as-root-with-su-command-but-i-can-with-ssh 

::为防止国内用户访问不了这个链接,特复制黏贴一下:: 

How is it possible that I cannot log in as root by su root or su (I get incorrect password error),but I can log in by ssh root@localhost or ssh root@my_local_IP with the same password?

I'm using CentOS 6.4.

Update1 :

cat /etc/pam.d/su

gives:

#%PAM-1.0
auth        sufficient  pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required    pam_wheel.so use_uid
auth        include     system-auth
account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account     include     system-auth
password    include     system-auth
session     include     system-auth
session     optional    pam_xauth.so

Update2 :

$ sudo grep su /var/log/secure | grep -v sudo

gives :

Feb 23 13:12:17 fallah su: pam_unix(su:auth): authentication failure;
logname=fallah uid=501 euid=501 tty=pts/0 ruser=fallah rhost=  user=root

repeated about 20 times.
















2 Answers

activeoldestvotes

up vote3down voteaccepted

+50

In your comment, you said that /bin/su has the following mode/owner:

-rwxrwxrwx. 1 root root 30092 Jun 22 2012 /bin/su

There are two problems here.

  • it needs to have the set-uid bit turned on, so that it always runs with root permissions, otherwise when an ordinary (non-root) user runs it, it will not have access to the password info in /etc/shadow nor the ability to set the userid to the desired new user.

  • it ought to have the group and other write bits turned off, so that other users cannot alter it.

To fix this, login as root - you said you can do this with ssh- and type

chmod 4755 /bin/su

or, alternatively,

chmod u+s,g-w,o-w /bin/su

(The standards document for chmod goes into more detail about what kinds of arguments it takes.) This will restore the mode bits to the way they were when the operating system was first installed. When you list this file, it ought to look like this:

-rwsr-xr-x. 1 root root 30092 Jun 22 2012 /bin/su

shareimprove this answer

edited Feb 26 at 10:05

answered Feb 26 at 9:06


Mark Plotnick
3,4991516


I usually use like : chmod 755 /bin/su , what is the extra 4 for ? –  Alireza Fallah Feb 26 at 9:36 



The 4 in the first position represents the set-uid permission. I've edited my answer to add an alternative way to use chmod using symbolic names for the permission bits. Hopefully that will be more clear. – Mark Plotnick Feb 26 at 9:44 



thank you very very much. I now figured out that I executed the chmod -R 777 /bin by mistake, and that's why I have been cursed :D –  Alireza Fallah Feb 26 at 9:47



I also asked another question, would you please see it, maybe you know the answer. –  Alireza Fallah Feb 26 at 10:08 



cyberciti.biz/tips/… describes how to use rpm to restore file permissions, but I have not tried it. – Mark Plotnick Feb 26 at 10:26