4

I'm able to SSH to my server (CentOS 5.9) using an admin account with sudo privileges:

$ ssh admin@myserver
Last login: Wed Feb 27 19:23:11 2013 from [IP ADDRESS]
[admin@myserver ~]$

Then I can su to root:

[admin@myserver ~]$ sudo su root
[sudo] password for admin: 
[root@myserver admin]#

But I can't su to another user, and the su command is not telling me why:

[admin@myserver ~]$ sudo su anotheruser
[admin@myserver ~]$ whoami
admin

Any idea why I can su to root, but not to other users?

How can I get su to tell me why it is not doing what I want it to do?

ChiCgi
  • 163
  • 1
  • 1
  • 4
  • Don't use `sudo`, just `su`. Try `su root`, then `su user` as root. Then for more details, try `su user` as admin. – Chloe Feb 28 '13 at 01:01
  • @Chloe `sudo su anotheruser` most certainly can work. It just needs to be granted in `/etc/sudoers`. – Aaron Copley Feb 28 '13 at 01:04
  • 1
    (Reason being is that it may not be desirable to know the target user's password. Sudo allows you to authenticate as yourself.) – Aaron Copley Feb 28 '13 at 01:10
  • Why don't you just give those users permission to run commands as the other users in `/etc/sudoers` and forget this unnecessary indirection? – Michael Hampton Feb 28 '13 at 01:51

3 Answers3

12

In case it's useful to someone else: I just ran into the same symptoms but the answer had nothing to do with sudo configuration.

Instead, it mattered which user I was trying to su to. The target user was a service pseudo-user (jenkins) which had /bin/false as its shell. The fix was to change the shell to a valid one (using chsh).

Robert MacIntyre
  • 121
  • 1
  • 2
3

Check /var/log/security and /var/log/auth.log.

Why are you using sudo to use su? You don't need to do that unless you change your standard ACLs.

If you use sudo, then the issue might be related to you sudoer file. Verify you have it configured properly.

CIA
  • 1,604
  • 2
  • 13
  • 32
1

What permissions are granted in /etc/sudoers to admin?

Also, as root, you could always su - anotheruser. An extra step perhaps, but without knowing anything about your sudoers file this will work.

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • My permissions in /etc/sudoers look like this: `root ALL=(ALL) ALL` `%admins ALL=(ALL) ALL` The admin user is in the admins group. – ChiCgi Feb 28 '13 at 01:10
  • 2
    You're going to need to look in `/var/log/secure`, then. Sudo / su log to the authpriv facility which generally goes to `/var/log/secure`. – Aaron Copley Feb 28 '13 at 01:16
  • I would double (triple) check the group membership of admin user. Is it a local group or domain? Try adding the user by name to `/etc/sudoers` to test and eliminate a point of failure. – Aaron Copley Feb 28 '13 at 01:17
  • That's great feedback. I can see the su command working from admin to root in the /var/log/secure, but I find this for the admin user trying to su to anotheruser: `Feb 28 10:03:38 myserver su: pam_unix(su-l:session): session opened for user anotheruser by admin(uid=0) Feb 28 10:03:38 myserver su: pam_unix(su-l:session): session closed for user anotheruser` I'm still not exactly sure what's going on except that it's opening a session and then immediately closing the session. – ChiCgi Feb 28 '13 at 15:12
  • I've also added the admin user to the sudoers file just below root like this: `admin ALL=(ALL) ALL`. Still no luck. The root user is also not able to su to another user account--not just the admin. I can, however, su from root to admin and vice-versa. – ChiCgi Feb 28 '13 at 15:22
  • I think something has been changed in PAM to deny this. Default settings permit it. (I've tested it on a workstation here.) Try verifying your `/etc/pam.d/su*` files with `rpm -V sudo` and `rpm -V coreutils`. (Look for `/etc/pam.d/su*` files in particular.) If you have another box load it up with a clean install and test there. – Aaron Copley Feb 28 '13 at 17:00
  • Hmm, it looks like after adding the `admin ALL=(ALL) ALL` to the sudoers file did the trick after all. I'm not sure why it wasn't working at first (maybe the settings were cached). It seems to be working now. – ChiCgi Mar 01 '13 at 17:11