SUMMARY: su hangs

From: Jeffrey Marans (jeff@erie.irc.nrc.ca)
Date: Mon Dec 07 1992 - 17:33:45 CST


A number of people replied to my request for help with
a hanging su. I think Andie Ness must have come
closest with
                "When we had this problem, I managed to
                track it down to a misbehaving
                syslogd - trace /bin/su hung on sendto's.

                I killed the syslogd, restarted it and
                everything worked fine after that."
I say must because I rebooted my machine a couple
of hours after posting to the net and it came up
with everything back to normal.
                    ....................

Grateful thanks to:
        Harumi Anne Kuno <kuno@engin.umich.edu>
        Gene Rackow <rackow@antares.mcs.anl.gov>
        adam%bwnmr4@harvard.harvard.edu (Adam Shostack)
        Daniel Trinkle trinkle@cs.purdue.edu
        mike_titus <mike@sleepy.haystack.edu>
        wallen@cogsci.UCSD.EDU (Mark R. Wallen)
        Hal Stern stern@sunne.East.Sun.COM
        Borje Josefsson <bj@dc.luth.se>
        Andie Ness <andie@cstr.edinburgh.ac.uk>
                    ....................

Harumi Anne Kuno <kuno@engin.umich.edu>
Some things to check:

        1) try running trace as you su, then grep for open out of the trace.
           for example: trace -o /tmp/foo su

        2) Do you run pwdauthd ? If so, make sure that it is running.
           How about auditd?

        3) Is your /etc/groups file hosed?
                    ....................

Gene Rackow <rackow@antares.mcs.anl.gov>
The filesystem that you have the logs in is FULL. Since the system
can't write the fact that you are doing the su, your stuck.
Another possibility is that the console is stopped with a
control-s.
                    ....................

adam%bwnmr4@harvard.harvard.edu (Adam Shostack)
Sounds like the su binary may be currupted.
Permissions should be;
-rwsr-xr-x 1 root staff 6952 Oct 11 1990 /bin/su

On a 4.1.1 sum /bin/su reports:
34039 7

On a 4.1.2, it gives:
26290 7

If it is corrupted, I'd make a non suid copy, restore a good one from
tape, and puta logging wrapper around the new su. It may be that a
incomptetent cracker has replaced your su. If so, your logging
wrapper will tell you about it. Might want to make the wrapper sgid,
and make su only executable by that group.
I've also seen strange things happen, and spent weeks chasing after
ghosts. Its probablt not worth your time to do so. For a cracker to
disable all functionality of su, hed have to be pretty bad.
                    ....................

Daniel Trinkle trinkle@cs.purdue.edu
     Since you have root access, I would suggest running trace(1) on
the su <someuser> command as root. This will likely give you a good
hint.
                    ....................

mike_titus <mike@sleepy.haystack.edu>
I know this might seem too obvious to mention, but have you done
anything to the /etc/ttytab entry for the port that you are logging
in to? Putting a "secure" statement at the end of this line dis-
allows root access from that port. See the man page on ttytab.
                    ....................

wallen@cogsci.UCSD.EDU (Mark R. Wallen)
The times I have seen su hang is when syslogd is
hosed one way or another (like a full disk where
the syslog files are kept). The symptoms are
exactly as you describe, you su, type the password
and then nothing. ^C gets you back to your regular
prompt. Try looking at /var/adm/messages and other
files in your /etc/syslog.conf (especially where
you log those auth messages) and see if you are
low on disk space there
                    ....................

Hal Stern stern@sunne.East.Sun.COM
got a blank line in your password file?
                    ....................

Borje Josefsson <bj@dc.luth.se>
Check syslog, and syslog output channels for the su messages. If You,
for instance, have a VT100 console on a server, and a slave printer on
the VT100, and the printer is out of paper or off-line, su will hang
since it cannot write its messages to /dev/console.
                    ....................

Jeff Marans
jeff@erie.irc.nrc.ca



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:54 CDT