Locked Myself Out - Cannot "su"

[Schiz0]

On 5/27/07, Schiz0 <schiz0phrenic21 at gmail.com> wrote:
> On 5/27/07, Conrad J. Sabatier <conrads at cox.net> wrote:
> > On Sun, 27 May 2007 19:17:20 -0400
> > Schiz0 <schiz0phrenic21 at gmail.com> wrote:
> >
> > > This is one of those things where after you realize what you've done,
> > > you just want to smack yourself.
> > >
> > > I've been working on hardening my FreeBSD 6.2-Stable box. I disabled
> > > root login from everywhere, including the console (The box isn't
> > > physically secure, so I didn't want anyone screwing around). Now, me
> > > being stupid, didn't reboot after making all these changes to harden
> > > it. So I finally rebooted (With the secure level set to 2) and I found
> > > that I can't run "su." I get the following error:
> > >
> > > $ su -
> > > su: not running setuid
> > >
> > > I can't shutdown since I can't become root, so I pulled the plug and
> > > rebooted into single-user mode. I edited /etc/rc.conf and set
> > > kern_securelevel_enable="NO"
> > >
> > > I rebooted again, but for some reason I still get the same error for
> > > "su."
> > >
> > > So basically, I locked myself out of my box completely. I fail :-(
> > >
> > > su has the following permissions:
> > > -r-sr-xr-x   1 root  wheel   schg   12240 May 13 13:15 su
> > >
> > > And sudo isn't installed, unfortunately. Any ideas of how to get root
> > > back?
> > >
> > > Thanks!
> >
> > First, you need to make sure that ttyv0 is *not* set to "insecure"
> > in /etc/ttys, so no login/password will be needed in single-user mode:
> >
> > ttyv0   "/usr/libexec/getty Pc"         cons25l1        on  secure
> >
> > This *should* allow you to use single-user mode once again as root.
> >
> > Then, make sure that any user you want to have su capability is listed
> > in /etc/group under the "wheel" entry:
> >
> > wheel:*:0:root,foouser
> >
> > After that, any other problems you may encounter will have to be dealt
> > with as they arise.  Post a followup if you still have trouble.
> >
> > HTH
> >
> > --
> > Conrad J. Sabatier <conrads at cox.net>
> >
> >
>
> Well I do know the root password, so I can get into single user mode
> even though the console is marked insecure. So that's not a problem.
>
> I just checked /etc/group and my username is NOT in the wheel group.
> I'm not in front the system right now to reboot it into single user
> mode and change /etc/group, but hopefully when I do, it will solve the
> problem. It's weird though, because I've been using this box fine for
> the past two months. I was able to su to root during that time. It's
> very strange that my username's group was changed automatically out of
> the wheel group.
>
> Thank you for your help!
>

Hm, this is odd. /etc/group contains:
wheel:*:0:root,steve
(My username is "steve")

I rebooted (SecureLevel is still disabled) and logged in as "steve."
Then I tried to run "su - root" and I got the same error:
$ su - root
su: not running setuid

But it's weird, because in the permissions for "su" it does have the suid flag:
$ ls -l /usr/bin/ |grep su
-r-sr-xr-x   1 root  wheel     12240 May 13 13:15 su

Also, when I dropped to single-user mode, I edited my
/etc/login.access and enabled root login on the console. But now I
when I try to login as root, I get the error:
login: pam_acct_mgmt(): authentication error

I definitely remember what root's password is. I even changed root's
password in single-user mode, and it still doesn't let me login. I
don't think the box is compromised; this isn't a production server at
all, only a home HTTP/FTP server for personal use.