Search This Blog

07 August 2008

Roles can only be assumed by authorized users

The other day I went to reboot the system and found out I no longer had root access. I was very confused since I could not even su.  It kept telling me 'Roles can only be assumed by authorized users'.  I eventually figured out where I thought the problem was, but unfortunately didn't have permissions to fix it. In fact, no users on the system were authorized to fix it.  I ended up posting a question on the OpenSolaris Forums asking for help.  When I was at work today, I printed out a response so that I could try it when I got home. Unfortunately, the reply is no longer there for some reason, I can't give credit to whomever it was. Roumen provided this link to fix the problem. For those of you having this problem, here's what I did to cause it and to resolve it.

The Cause
When I was playing around with the Users and Groups, I went ahead and checked every single box. I mean, why not, I want full access, right? Nevermind that looking back I realize that some specifically say not to add them to users.

The Symptoms
I had basic user rights, but no root rights. I could not login as root, su to root, pfexec as root, save files owned by root, reboot the system, anything.

The Clue
Looking at /etc/user_attr, I noticed that while I did have the role=root attached to my name, there was a lot of garbage (read: all those checkmarks listed as profiles) before it.  Maybe 256 characters, maybe 512, I didn't honestly count.

I logged into the 2008.05 livecd and saw that jack only had Primary Administrator. Ok, I'll duplicate that.  Unfortunately, I couldn't find the real /etc directory in order to just rewrite it as jack.

Since I didn't have root access, I couldn't change the file.

The Solution
  1. Reboot
  2. At the GRUB prompt, hit e for edit
  3. Arrow down to the kernel$ line
  4. Hit e to edit
  5. Append -s to the end of the line and hit enter
  6. Hit b to start booting
  7. When prompted, type in the root password
  8. vi /etc/user_attr and remove all profiles except Primary Administrator from my account
  9. save the file, exit to the prompt, hit ctrl-D to exit single-user mode
You now have your root access back.
Posted by at
Labels: ,

16 comments:

  1. Anonymous8/08/2008 8:13 AM

    Glad I could help :)

    ReplyDelete
  2. Anonymous10/21/2008 11:02 PM

    Thanks for your help, I ran into the same problem by checking all the boxes. Fixed it by logging back in as jack and changing my user privileges to primary admin. Thank you!

    ReplyDelete
  3. Malachi de AElfweald10/22/2008 2:52 AM

    Glad it helped!

    ReplyDelete
  4. T10/22/2008 5:44 AM

    It must be helpful ,I believe!

    ReplyDelete
  5. Malachi de AElfweald11/18/2008 10:30 AM

    On my work box I ran into a weird situation that whenever I edited it via the users-admin gui, the user_attr file would be edited but it wouldn't persist to the next time I launched the gui.

    What I finally did was go into single user mode, edit the user_attr file AND add staff to sudoers, reboot and run users-admin via the root account there... I dunno - I'm very uncomfortable with it not being consistent. Right now, it works fine as long as I don't edit it.

    ReplyDelete
  6. Anonymous12/07/2008 9:26 PM

    When using OpenSolaris 2008 11 (and probably newer), make sure to choose the text boot option in GRUB, otherwise the animated progress bar will display forever instead of showing you the command prompt.

    ReplyDelete
  7. Malachi de AElfweald12/07/2008 11:58 PM

    I just did a fresh install into xVM and it did appear that way for awhile before finally going into the login screen.

    If you are finding that to be a problem, you can temporarily delete the colors and splashimage from the boot as well as the graphics on the kernel line and see if it is giving an error during the boot.

    ReplyDelete
  8. Anonymous2/04/2009 11:48 PM

    thanks for the write up on resolving this. I just did the exact same thing you did. Appreciate you sharing the knowledge.

    Regards
    Tim

    ReplyDelete
  9. Anonymous4/25/2009 11:26 AM

    I have the same problem that edits via the users-admin GUI don't persist the next time I launch the GUI. I will try editing the /etc/user/attr file manually. Thanks for the hint.

    ReplyDelete
  10. Anonymous9/11/2009 9:00 AM

    There is an easier way: http://blogs.sun.com/observatory/entry/understading_rbac

    usermod -R root myusername

    ReplyDelete
  11. Anonymous12/06/2009 11:29 AM

    Thanks for the information. I was having this problem on MilaX 0.4

    ReplyDelete
  12. Malachi de AElfweald12/06/2009 11:59 AM

    glad it could help =)

    ReplyDelete
  13. gnrl7/17/2010 7:43 PM

    quickly solved my problem. thank you sir!

    ReplyDelete
  14. Malachi de AElfweald7/17/2010 8:05 PM

    no problem! glad it helped!

    ReplyDelete
  15. googlePower4/26/2015 9:56 PM

    Excuse me... How can i get in GRUB prompt in sparc machine?

    ReplyDelete
    Replies
    1. Malachi de AElfweald4/26/2015 11:22 PM

      It would probably depend on how you installed the bootloader. I don't have a sparc machine to test again. Maybe something on one of these pages will help:
      http://docs.oracle.com/cd/E19253-01/819-5461/6n7ht6r22/index.html
      http://docs.oracle.com/cd/E19253-01/821-0441/grub-1/index.html

      Delete

Subscribe to: Post Comments (Atom)