Fresh install lock out

[uns3en]

So, fresh install (backup server) with an admin user.

Can't sudo as "effective uid is not 0"; "su -" fails to authenticate with the correct password, sshd is not starting by default.

So, can't make any changes to the machine as can't log in as root or use sudo.

Surely, that should not be happening.

[avij]

Did you happen to use Security Profiles during installation?

Which version of CentOS?

[uns3en]

Did you happen to use Security Profiles during installation?

Which version of CentOS?

CentOS 7 (1511 ISO)
Default security profile

[avij]

Can you reproduce this problem with the current supported version, 7.4.1708? Please try that first.

[uns3en]

Can you reproduce this problem with the current supported version, 7.4.1708? Please try that first.

Yup, downloaded CentOS-7-x86_64-DVD-1708.iso this morning. Installed as Backup server with default security settings, same thing happened. Then used an older 1511 iso on a fresh VM - same steps, same result.

user added to wheel at install
/bin/su & /usr/bin/su owned by uid 1000, not root, can't chown to root:root - not permitted

Currently downloading 6.9 to check if that's OK

Edit:
looks like ssh is not off, just fails to load properly

Code: Select all

$ systemctl | grep sshd
 sshd.service  loaded  activating  auto-restart 

[avij]

Do you have any idea why your /usr/bin/su is not owned by root? Are you using some sort of a kickstart script which does odd things after installation in its %post section?

[uns3en]

Do you have any idea why your /usr/bin/su is not owned by root? Are you using some sort of a kickstart script which does odd things after installation in its %post section?

No scripts. Just the default options.

Edit: scratch that. I changed user home directory to '/'. I wonder if the setup did

Code: Select all

usermod -d / user && chown user:user /

as a result?

I'll see if leaving it at '/home/user' actually eliminates the issue.

[avij]

I'm sorry, but I can't reproduce this problem myself.

Code: Select all

$ ssh root@192.168.122.235
The authenticity of host '192.168.122.235 (192.168.122.235)' can't be established.
ECDSA key fingerprint is SHA256:VqW+oCVQe+gRGFuoPtncJIVD7vquL5VyuMrhp0YG0DU.
No matching host key fingerprint found in DNS.
ECDSA key fingerprint is MD5:28:7f:2f:16:c7:87:ba:fd:68:03:d4:62:17:a9:e5:d6.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.122.235' (ECDSA) to the list of known hosts.
root@192.168.122.235's password:
[root@c74minimaliso4 ~]# su - anssi
[anssi@c74minimaliso4 ~]$ groups
anssi wheel
[anssi@c74minimaliso4 ~]$ su - root
Password:
Last login: Fri Sep 15 12:58:25 EDT 2017 from 192.168.122.1 on pts/0
[root@c74minimaliso4 ~]# ls -ln /usr/bin/{su,sudo}
-rwsr-xr-x. 1 0 0  32096 Aug  4 07:18 /usr/bin/su
---s--x--x. 1 0 0 143184 Aug  4 10:38 /usr/bin/sudo

I'd need more detailed steps to reproduce this problem.

edit: yes, setting / as the user's home directory can indeed cause problems.

[uns3en]

I'm sorry, but I can't reproduce this problem myself.
...
edit: yes, setting / as the user's home directory can indeed cause problems.

Only during the install it seems. I have other CentOS 6 & 7 VMs running perfectly with the admin's directory set to '/'. The only difference is that those accounts were created manually after the install. Looks like the installer indeed does a chown on directory during the install as half the folders in '/' belong to the admin user not root. Someone might want to set a check for that and not do a chown if directory is set to '/' or at least not allow to select that.

I'll let you know if not setting it to / resolved the issue.

[uns3en]

Issue Update:

Not setting user's home directory to '/' at install eliminates the issue entirely.