su: cannot open session: Permiss
2023-05-14 本文已影响0人
偷油考拉
一、故障现象
[root@VM_99_101_centos ~]# su - robin
Last login: Mon May 15 14:37:23 CST 2023 on pts/2
su: cannot open session: Permission denied
[root@VM_99_101_centos ~]#
[root@VM_99_101_centos ~]#
[root@VM_99_101_centos ~]# cat /etc/passwd |grep robin
robin:x:1000:1000::/home/robin:/bin/bash
实时监控 /var/log/secure 日志如下
May 15 14:37:35 localhost su: PAM _pam_load_conf_file: unable to open /etc/pam.d/system
May 15 14:37:35 localhost su: PAM _pam_load_conf_file: unable to open /etc/pam.d/system
May 15 14:37:35 localhost su: PAM _pam_load_conf_file: unable to open /etc/pam.d/system
May 15 14:37:35 localhost su: PAM _pam_load_conf_file: unable to open /etc/pam.d/system
二、故障分析
[root@VM_99_101_centos ~]# ssh robin@localhost
robin@localhost's password:
Last login: Mon May 15 14:37:35 2023
[robin@VM_99_101_centos ~]$
May 15 14:38:12 localhost sshd[26466]: Accepted password for robin from 127.0.0.1 port 42306 ssh2
May 15 14:38:12 localhost sshd[26466]: pam_unix(sshd:session): session opened for user robin by (uid=0)
测试二
[root@VM_99_101_centos ~]# useradd admin
[root@VM_99_101_centos ~]# passwd admin
Changing password for user admin.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@VM_99_101_centos ~]#
[root@VM_99_101_centos ~]#
[root@VM_99_101_centos ~]# su - admin
su: cannot open session: Permission denied
测试三
[root@VM_99_101_centos ~]# ssh robin@localhost
robin@localhost's password:
Last login: Mon May 15 14:43:54 2023 from 127.0.0.1
[robin@VM_99_101_centos ~]$ su - admin
su: Permission denied
[robin@VM_99_101_centos ~]$ ssh admin@localhost
admin@localhost's password:
Last login: Mon May 15 14:45:15 2023
[admin@VM_99_101_centos ~]$
Debug
执行 strace -ff su - robin,发现提示如下:
mprotect(0x7f47b3f17000, 4096, PROT_READ) = 0
open("/etc/pam.d/system", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 5
分析
确实要求打开/etc/pam.d/system文件。但是,检索全网,没有关于/etc/pam.d/system的任何资料,近乎全部关于 /etc/pam.d/system-auth。
这是关键线索。
期间使用pam_debug.so和rsyslog debug level调试,线索均指向未找到该文件。
过滤所有相关配置文件、目录 grep -r "system" /etc |grep pam |grep -v "system-auth",发现如下:
/etc/pam.d/su:auth substack system -auth
/etc/pam.d/su:account include system -auth
/etc/pam.d/su:password include system -auth
/etc/pam.d/su:session include system -auth
将 system -auth 改成 system-auth,问题解决
