pam.d/common-auth isn't called after rootok #3696

alkisg · 2025-08-22T09:32:50Z

alkisg
Aug 22, 2025

Hello! Suppose that I add this line in /etc/pam.d/common-auth:

auth    optional                        pam_group.so

And this line in /etc/security/group.conf

# As a test, add everyone to the sudo group:
*;*;*;Al0000-2400;sudo

With these, there's a problem in su that's not present in sudo, and I was wondering if there's a solution:

# This includes pam_group and applies /etc/security/group.conf
root@server:~# sudo -i -u user groups
user sudo

# This doesn't include pam_group:
root@server:~# su - user -c groups
user

I.e. the problem is that su doesn't apply the correct groups to the user.
This happens because of the following lines at the top of /etc/pam.d/su:

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

AFAIK the sufficient flag prohibits all further processing of the entries in /etc/pam.d/su, like the ones in @include common-auth.
Is there any way to avoid this issue which exists in su but not in sudo?

karelzak · 2025-08-25T07:13:36Z

karelzak
Aug 25, 2025
Maintainer

su(1) itself has no clue about this stuff. It's completely hidden on the PAM playground. So, if you don't like PAM configuration, then change it :)

You can also try to use su --supp-group= to define a wanted group explicitly.

0 replies

alkisg · 2025-08-25T07:22:50Z

alkisg
Aug 25, 2025
Author

@karelzak thank you, but if I remove auth sufficient pam_rootok.so from PAM, then su - user from the root account prompts me for a password, which isn't appropriate.

So I think that code changes would be needed in su to allow that. And I think these code changes already exist in sudo, that's why distributions are able to omit pam_rootok.so from the sudo PAM configuration, but not from the su PAM configuration.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

pam.d/common-auth isn't called after rootok #3696

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

pam.d/common-auth isn't called after rootok #3696

Uh oh!

alkisg Aug 22, 2025

Replies: 2 comments

Uh oh!

karelzak Aug 25, 2025 Maintainer

Uh oh!

alkisg Aug 25, 2025 Author

alkisg
Aug 22, 2025

karelzak
Aug 25, 2025
Maintainer

alkisg
Aug 25, 2025
Author