User profile for user: Scott Yoshinaga
Scott Yoshinaga Author
User level: Level 1
65 points

su doesn't work anymore but sudo works

Hi all,

I normally use my standard user account but when I'm installing with macports I routinely "su" into root to do things.

Today I went on my machine and noticed that "su" wouldn't work. Before anyone decides to tell me that I don't need to use "su", I realize that but I use it for my own purposes.

From the system log I am seeing this each time "su" fails:
su[1376]: pam_authenticate: Permission denied

What is interesting is that doing a "sudo su" works, and I'm able to do all of my admin duties that way.

I have a feeling something messed up my bash profile but not totally sure. Has anyone else run into this issue?

MacBook Pro, Mac OS X (10.5.6)

Posted on Feb 26, 2009 9:35 PM

Reply
16 replies
User profile for user: biovizier
biovizier
User level: Level 5
7,931 points

Feb 26, 2009 10:00 PM in response to Scott Yoshinaga

..." I normally use my standard user"...

That is one reason you might be unable to ' su' to root.

From the slightly incorrect ' man' page for ' su':
<pre>
Only users in group ``wheel'' (normally gid 0) or
group ``admin'' (normally gid 20) can su to ``root''.</pre>

However, a "standard" user shouldn't be able to use ' sudo' either so ' sudo su' would also be expected to fail.

Note that with ' sudo', the admin user attempting to use the command must enter their own password, whereas for ' su', the "root" account's password is required.

Assuming the you are in fact using an "admin" account, and root user's password is being entered for ' su", perhaps the "root" account has become disabled. Unlike ' sudo su', ' su' (to root) requires the "root" account to be enabled. It might be worth checking its status using eg. "/Applications" > "Utilities" > "Directory Utility.app".
Reply
User profile for user: biovizier
biovizier
User level: Level 5
7,931 points

Feb 26, 2009 11:17 PM in response to Scott Yoshinaga

..." I have my standard user account set to admin and it was working for the last 2 years just fine."...

A "standard" account can't be an "admin", by definition.
http://docs.info.apple.com/article.html?path=Mac/10.5/en/8235.html

They are separate classes of account. One you promote a "standard" account to "admin", it is no longer considered to be a "standard" account.

..." How will Directory Utility help?"...

Using "Directory Utility.app" is one way to enable the "root" account.
http://docs.info.apple.com/article.html?path=Mac/10.5/en/11778.html

Having "root" enabled is a prerequisite to using ' su'. That is to say, when using ' su' to switch to any user, that user account has to be enabled, including "root".

..." I cannot uncheck "allow user to administer computer" in Accounts."...

Good. That confirms that you are an "admin".
Reply
User profile for user: Scott Yoshinaga
Scott Yoshinaga Author
User level: Level 1
65 points

Feb 26, 2009 11:44 PM in response to biovizier

Alright if you want to be technical, yes, it isn't a "normal user" but it's not root so I consider it my "normal user" account.

Yes, root is enabled and it works.
If I log into OS X as root and then open System Preferences > Accounts then select my "normal user" account, I still cannot uncheck "allow user to administer computer".

Either way, this does not solve why I can no longer use "su" to become root from my "normal user" account.
Reply
User profile for user: Király
Király
User level: Level 6
10,025 points

Feb 27, 2009 7:10 AM in response to Scott Yoshinaga

kimonostereo wrote:
Alright if you want to be technical, yes, it isn't a "normal user" but it's not root so I consider it my "normal user" account.


Correct terminology is important. In your original post you said "standard" account, which by definition, is not an admin account. Thanks for clarifying.

If I log into OS X as root and then open System Preferences > Accounts then select my "normal user" account, I still cannot uncheck "allow user to administer computer".


Is it the only admin account on the computer? If so, you can't uncheck the box. OS X always needs to have at least one admin user. Create a new admin account and you should be able to change your current one to standard.

Either way, this does not solve why I can no longer use "su" to become root from my "normal user" account.


I don't know. I only use su to get into my admin account from my non-admin account ("su adminuser").

Once I am in my admin account I use sudo to become root. sudo -s will do it. Is there some reason you can't do that?
Reply
User profile for user: V.K.
V.K.
User level: Level 9
56,192 points

Feb 27, 2009 7:29 AM in response to Scott Yoshinaga

a "standard account" is a standard term and it means non admin. which is why your first post was confusing. i don't know why you can't su root from an admin account if the root account is enabled (are you sure it is enabled?). in any case I'm not a fan of enabling root on a regular basis. if you are using an admin account as you are doing you can simply do

sudo -s

this will get you into root shell and you can work from there without using sudo again.
you can do this with root disabled.

Lastly, the reason why you can't make your current account standard is because you need at least one admin account (root doesn't count). Make a new admin account and you'll be able to downgrade your main account to standard.
Reply
User profile for user: Scott Yoshinaga
Scott Yoshinaga Author
User level: Level 1
65 points

Feb 27, 2009 9:42 AM in response to Scott Yoshinaga

Hi all,
Thanks for the help on this issue.

I'll clarify: I'm using this install as a server and this is why I have 2 admin accounts on it. The original account is my own; the one I created when I first installed OS X. I then enabled System Admin (root) so that is the other admin account. After installing MacPorts I have been running the system as a multi-user webserver. I occasionally log in as root to do maintenance and upgrades. I have found that it's easier to use the SysAdmin account in certain situations because of permissions issues and ease of installing upgrades.

I'll often log in under my username and then su to root. Recently (yesterday) I noticed that "su" didn't work anymore when I used my normal username.

There are sometimes that I will log onto the machine as System Admin and usually via the terminal (console) I can log in as any of the other accounts by doing
su <username>

this also doesn't work anymore. I get the error:
shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied

I have two servers set up this way. One works the way it should, the other one has this problem. The only difference I can see is in roots bash profile but I'm not sure why they are different on each machine.

Also when logged in as System Admin, I should be able to turn off "allow user to administer computer" on my regular account but it's grayed out. On the other similarly configured machine, under the same conditions, I can. I'm not sure why I can do it on one and not the other.

I've tried turning off enable root via Directory Utility but that didn't fix the issue.
Reply
User profile for user: V.K.
V.K.
User level: Level 9
56,192 points

Feb 27, 2009 9:53 AM in response to Scott Yoshinaga

Also when logged in as System Admin, I should be able to turn off "allow user to administer computer" on my regular account but it's grayed out.


by System Admin do you mean root or do you mean another admin account? if you are logged in as root and there are no other admin accounts besides your main naccount then you SHOULD NOT be able to make your main account standard. you need to create another admin account and then you should be able to do it.
Reply
User profile for user: biovizier
biovizier
User level: Level 5
7,931 points

Feb 27, 2009 10:53 AM in response to Scott Yoshinaga

I'm not sure messing up root's bash profile would result in an authentication failure - if it was possible to fail to actually switch users using ' su' yet still get access to the "root" user's profile files, that might be considered a security issue. The problem would appear to be at an earlier stage.

In contrast:
..." shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied"...

This error is one I usually see when ' su user' succeeds, except that the command was executed from within a directory to which the second user normally doesn't have access. For example, normally, the modes of $HOME and $HOME/Documents are 755 and 700, respectively. If you had cd'd into "$HOME/Documents" before executing ' su user', then the user switch would succeed but would be unable to eg. ' pwd', etc. The same would apply if you were using "FileVault", in which case "$HOME" has 700 permissions.

The only other obvious thing I can think of that would cause an authentication failure error while trying to use ' su', but allow a GUI login is if the "root" password was blank - at the command line level, this is blocked for security reasons.

Edit. the posting software is eating my tildes...
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

su doesn't work anymore but sudo works

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up