'sudo su' asks for password twice

[rezatoune]

Hi all,
I'm not sure if this is a general freeBSD or FraaNAS issue i'm having.
When logged in via SSH, and asking to become root with 'sudo su', I'm being asked the password twice :

Code:

$ nasimon
rezatoune@nasimon.home's password:
Last login: Sun Jul  9 18:59:25 2017 from 192.168.1.34
FreeBSD 11.1-BETA1 (FreeNAS.amd64) #0 9e57002a9(freenas/11-stable): Sat Jul  8 04:52:22 UTC 2017

  FreeNAS (c) 2009-2017, The FreeNAS Development Team
  All rights reserved.
  FreeNAS is released under the modified BSD license.

  For more information, documentation, help or support, go here:
  http://freenas.org
Welcome to FreeNAS
[rezatoune@freenas ~]$ sudo su
Password:
Password:
[root@freenas /mnt/volumePrincipal/home/rezatoune]#

I have no ideas where this could be coming from.

I'm running FreeNAS-11-MASTER-201707080414 (622fd88), here is a signature of my sudo program :

Code:

[root@freenas /mnt/volumePrincipal/home/rezatoune]# which sudo
/usr/local/bin/sudo
[root@freenas /mnt/volumePrincipal/home/rezatoune]# md5 /usr/local/bin/sudo
MD5 (/usr/local/bin/sudo) = 03a6f0108f3ce43b7da09e184da22bb8

Please don't hesitate to ask me any complementary information,
Thanks for the help,
rezatoune.

 

[dlavigne]

This is to be expected as you should use one or the other, not both commands at once.

 

[rezatoune]

Mmh, but it shows the same behaviour when using 'sudo -s' ? :

Code:

[rezatoune@freenas ~]$ sudo -s
Password:
Password:
[root@freenas /mnt/volumePrincipal/home/rezatoune]#

If it can help debugging, the first prompt has a space after the ':', and the second does not. (': ' vs ':' when typing the password)

What seems the weirdest to me is that I can mistype the first password prompt, even leave it empty, and it will work as long as I give the right password for the second prompt.

 

[Jailer]

Just type su if you need to run commands from root.

 

[anodos]

This is to be expected as you should use one or the other, not both commands at once.

Haters gonna hate.

 

[dlavigne]

Misses the "like" button

 

[Ericloewe]

Misses the "like" button :)

Meh, I treat "thanks" as a universal "Have one internet point" button.

 

[fracai]

This is to be expected as you should use one or the other, not both commands at once.

I don't actually think this is expected.

The first 'sudo' should grant root privileges and root doesn't need to provide a password to su. Can su be configured to always require a password?
'sudo -s' showing the prompt twice sounds like something is misconfigured.

There are multiple threads and solutions offered when searching online for something like "sudo su password twice"

 

[rezatoune]

My home folder's permissions are a mess right now, as its mixed ACLs and linux ones, don't know if that can be related. I'm trying to remove those ACLs.

Code:

[root@freenas /mnt/volumePrincipal/]# ll /mnt/volumePrincipal/home/rezatoune/
total 184
drwxrwxr-x  5 rezatoune  rezatoune  uarch  18 Jul  2 00:08 ./
drwxrwxr-x+ 4 root  wheel  uarch  4 Mar 26 07:16 ../
-rwxrwxr-x+ 1 root  wheel  uarch  979 Jul 11 17:03 .bash_history*
-rwxrwxr-x+ 1 root  wheel  uarch  19 Mar  6 18:14 .bashrc*
drwxrwxr-x+ 3 root  wheel  uarch  3 Oct 11  2016 .config/
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  983 Mar 26 04:53 .cshrc*
-rwxrwxr-x+ 1 rezatoune  wheel  uarch  33 Jan 18 16:27 .lesshst*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  182 Mar 26 04:53 .login*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  91 Mar 26 04:53 .login_conf*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  301 Mar 26 04:53 .mail_aliases*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  267 Mar 26 04:53 .mailrc*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  728 Mar 26 04:53 .profile*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  212 Mar 26 04:53 .rhosts*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  780 Mar 26 04:53 .shrc*
drwxrwxr-x+ 2 rezatoune  rezatoune  uarch  4 Jun 28 22:11 .ssh/
-rw-r--r--  1 rezatoune  rezatoune  uarch  168 Jul  2 00:07 .wget-hsts
-rwxrwxr-x+ 1 root  wheel  uarch 1571 Aug 31  2016 test.sh*

Here is the content of /etc/pam.d/sudo, I'm still in the process of reading the doc and making sense out of it, but certainly someone knows better than me =)

Code:

[root@freenas /mnt/volumePrincipal/]# cat /etc/pam.d/sudo
#
# $FreeBSD: src/etc/pam.d/sudo,v 1.18 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "sudo" service
#

# auth
auth  sufficient  pam_opie.so  no_warn no_fake_prompts
auth  requisite  pam_opieaccess.so  no_warn allow_local
auth  sufficient  /usr/local/lib/pam_sss.so
auth  required  pam_unix.so  no_warn try_first_pass

# account
account  required  pam_nologin.so
account  required  pam_login_access.so
account  sufficient  /usr/local/lib/pam_sss.so
account  required  pam_unix.so

# session
session  required  pam_permit.so

# password
password  sufficient  /usr/local/lib/pam_sss.so use_authtok
password  required  pam_unix.so  no_warn try_first_pass

 

[anodos]

My home folder's permissions are a mess right now, as its mixed ACLs and linux ones, don't know if that can be related. I'm trying to remove those ACLs.

Code:

[root@freenas /mnt/volumePrincipal/]# ll /mnt/volumePrincipal/home/rezatoune/
total 184
drwxrwxr-x  5 rezatoune  rezatoune  uarch  18 Jul  2 00:08 ./
drwxrwxr-x+ 4 root  wheel  uarch  4 Mar 26 07:16 ../
-rwxrwxr-x+ 1 root  wheel  uarch  979 Jul 11 17:03 .bash_history*
-rwxrwxr-x+ 1 root  wheel  uarch  19 Mar  6 18:14 .bashrc*
drwxrwxr-x+ 3 root  wheel  uarch  3 Oct 11  2016 .config/
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  983 Mar 26 04:53 .cshrc*
-rwxrwxr-x+ 1 rezatoune  wheel  uarch  33 Jan 18 16:27 .lesshst*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  182 Mar 26 04:53 .login*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  91 Mar 26 04:53 .login_conf*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  301 Mar 26 04:53 .mail_aliases*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  267 Mar 26 04:53 .mailrc*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  728 Mar 26 04:53 .profile*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  212 Mar 26 04:53 .rhosts*
-rwxrwxr-x+ 1 rezatoune  rezatoune  uarch  780 Mar 26 04:53 .shrc*
drwxrwxr-x+ 2 rezatoune  rezatoune  uarch  4 Jun 28 22:11 .ssh/
-rw-r--r--  1 rezatoune  rezatoune  uarch  168 Jul  2 00:07 .wget-hsts
-rwxrwxr-x+ 1 root  wheel  uarch 1571 Aug 31  2016 test.sh*

Here is the content of /etc/pam.d/sudo, I'm still in the process of reading the doc and making sense out of it, but certainly someone knows better than me =)

Code:

[root@freenas /mnt/volumePrincipal/]# cat /etc/pam.d/sudo
#
# $FreeBSD: src/etc/pam.d/sudo,v 1.18 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "sudo" service
#

# auth
auth  sufficient  pam_opie.so  no_warn no_fake_prompts
auth  requisite  pam_opieaccess.so  no_warn allow_local
auth  sufficient  /usr/local/lib/pam_sss.so
auth  required  pam_unix.so  no_warn try_first_pass

# account
account  required  pam_nologin.so
account  required  pam_login_access.so
account  sufficient  /usr/local/lib/pam_sss.so
account  required  pam_unix.so

# session
session  required  pam_permit.so

# password
password  sufficient  /usr/local/lib/pam_sss.so use_authtok
password  required  pam_unix.so  no_warn try_first_pass

You can nuke the ACLs by running the command find /mnt/volumePrincipal/home/rezatoune -exec setfacl -b {} ;\

 

[Simon Pierre Desrosiers]

This is to be expected as you should use one or the other, not both commands at once.

No, this is not expected. This is total standard unixcism to become root and password should be asked only once.

 

[Ericloewe]

The man page for su(1) (link) does not state that UID 0 does not need to authenticate.

The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed.

As for sudo -s, feel free to track down the problem, but I don't think many people will be eager to sink time into this one.

 

[rvassar]

I used "sudo -s" yesterday on 11.1-U6 and it only asked once.

Code:

% shasum -a 256 /usr/local/bin/sudo
665f3fd9cf53f8dbe67e307cabe62ce208245363a610357431d293edea2e90ee  /usr/local/bin/sudo

Just a thought... Some variations of sudo invoked by scripts / GUI's, etc... on Linux drop a file in your home directory, and that may interact with your ACL issue. I don't know that sudo does this directly however.

 

[fracai]

I think the OP has probably moved past this problem in the last year.