用strace解决“su - root"的Authentication failure问题
用strace解决“su - root"的Authentication failure问题
工作中突然发现有一台linux机器不能su 到root, 即便密码是正确的,也还是提示: The password is too strict. 之类的错误;后来经过很多折腾找到了原因,这里re-produce 这个问题,以供大家参考下解决问题的思路: 如果你首先想到的是sudo的配置,建议你再回顾下sudo与su的区别;因为这个问题跟sudo 就不沾边啊,这里是直接用su - root 就报错,所以与sudo的配置没有关系;下面分享下如何解决这类问题: A.首先产生现象(centos7 的环境):
[root@localhost ~]# su - test_user
Last login: Wed Aug 21 03:05:27 CST 2019 on pts/0
[test_user@localhost ~]$ su - root
Password:
su: Authentication failure #这里提示 Authentication failure 的错误;
[test_user@localhost ~]$B. 一般对于"Authentication" 相关的问题,考虑过程大致是:首先是密码是否正确,然后是PAM的配置是否有错误,然后是密码文件的访问问题; 密码不正确不在本次讨论范围之内,剩下就是PAM的配置问题和密码文件的访问问题,因为PAM的配置错误找起来比较费事,所以这里首先考虑密码文件的访问问题,解决问题都是先排除简单的可能,在考虑复杂的可能性, 你不会是反过来做的把?哈哈 如果你做过系统安全加强,一定会知道/etc/shadow 这个文件应该属于root, 所以首先检查/etc/shadow这个文件的权限:
[test_user@localhost ~]$ ls -l /etc/shadow
----------. 1 root root 1079 Aug 21 03:01 /etc/shadow既然/etc/shadow的权限没有问题,所以考虑用strace 来判断下,其中-e open 表示跟踪系统调用open, -f 表示跟踪到fork的子进程,-o 表示输出跟踪结果到文件;
[test_user@localhost ~]$ strace -f -e open -o su_fail_strace.txt su - root
Password:
su: Authentication failure
[test_user@localhost ~]$文件拿到了,打开文件,我们可以看到都是open函数的调用;虽然只有149行,但是放在这里还是太多了,所以这里截取错误信息(open函数的返回值为-1)相关的上下文:
[test_user@localhost ~]$ wc -l su_fail_strace.txt
149 su_fail_strace.txt
[test_user@localhost ~]$ vim su_fail_strace.txt
[test_user@localhost ~]$ ls -l /etc/shadow
----------. 1 root root 1079 Aug 21 03:01 /etc/shadow
[test_user@localhost ~]$ vim su_fail_strace.txt
......
46 2941 open("/lib64/libuuid.so.1", O_RDONLY|O_CLOEXEC) = 6
47 2941 open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 6
48 2941 open("/usr/lib64/elfutils/tls/x86_64/libelf.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
49 2941 open("/usr/lib64/elfutils/tls/libelf.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
50 2941 open("/usr/lib64/elfutils/x86_64/libelf.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
51 2941 open("/usr/lib64/elfutils/libelf.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
52 2941 open("/lib64/libelf.so.1", O_RDONLY|O_CLOEXEC) = 6
53 2941 open("/usr/lib64/elfutils/libbz2.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
54 2941 open("/lib64/libbz2.so.1", O_RDONLY|O_CLOEXEC) = 6
55 2941 open("/usr/lib64/security/pam_unix.so", O_RDONLY|O_CLOEXEC) = 6
56 2941 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 6
57 2941 open("/lib64/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 6
......
98 2944 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
99 2944 open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
100 2944 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
101 2944 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
102 2944 open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
103 2944 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
104 2944 open("/lib64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 3
105 2944 open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 3
106 2944 +++ exited with 7 +++
107 2941 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2944, si_uid=1001, si_status=7, si_utime=0, si_stime=11} ---
108 2941 open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 5
109 2941 open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/Linux-PAM.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
110 2941 open("/usr/share/locale/en_US.utf8/LC_MESSAGES/Linux-PAM.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
111 2941 open("/usr/share/locale/en_US/LC_MESSAGES/Linux-PAM.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
112 2941 open("/usr/share/locale/en.UTF-8/LC_MESSAGES/Linux-PAM.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
113 2941 open("/usr/share/locale/en.utf8/LC_MESSAGES/Linux-PAM.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
114 2941 open("/usr/share/locale/en/LC_MESSAGES/Linux-PAM.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
......在上面结果中,102行的错误:102 2944 open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) 比较值得怀疑,因为我们知道su - root的时候,肯定是需要读取/etc/shadow 来进行密码验证的啊,可是这里却发生了read时候的permission denied 问题;所以十之八九就是这里的问题; 相信有不少人会想着把/etc/shadow的权限改成777试试吧,想法不错,但是你查看正常server的权限也不是777吧,所以这个不是根本的原因; THINKING....THINKING....THINKING....THINKING....THINKING....THINKING... 想一想改密码时候,你没有/etc/shadow的权限,但是依然可以修改成功密码. 说到这里,你应该知道了吧:特殊权限位s. 赶紧看下:
[test_user@localhost ~]$ vim su_fail_strace.txt
[test_user@localhost ~]$ ls -l `which passwd` `which su`
-rwsr-xr-x. 1 root root 27832 Jun 10 2014 /bin/passwd
-rwxr-xr-x. 1 root root 32208 Mar 14 18:37 /bin/su
[test_user@localhost ~]$果然不一样,那加上s位实验下:
[root@localhost ~]# chmod +s `which su`
[root@localhost ~]# su - test_user
Last login: Wed Aug 21 03:07:13 CST 2019 on pts/0
[test_user@localhost ~]$ su - root
Password:
Last login: Wed Aug 21 03:05:33 CST 2019 on pts/0
[root@localhost ~]#成功解决问题! 看起来很完美,是不是! 本文原创,转载请注明出处
腾讯云开发者
