Webmin and Fedora Core 5: "su: incorrect password"

« "Make:" Magazine Controller Kit
Icecast Live Stream: Sample conf for Icecast/Ices »

Webmin and Fedora Core 5: "su: incorrect password"

Original date: June 20, 2006 9:34 PM by sonnik

In this post, I priaised Webmin. Unbeknownst to me, I was having a problem using Webmin's "Command Shell" module.

Webmin's "Command Shell" module is handy if you need to issue a few command line instructions if you're unable to gain access by way of SSH. It's simply a web-browser based form that accepts input and executes the instruction and echoes output back to the browser. Before reading any further, you should be aware that if you aren't aware of security issues regarding this module, you shouldn't install Webmin. If you don't properly protect your machine, you can be granting an intruder root access to your machine. But, if you've set up proper firewalls and strong passwords - you should be a bit better off. Note however, that remote administration is often a risky task unless other precautions are taken.

My problem was that whenever I'd input an instruction, I'd receive "su: incorrect password". I actually seem to have had three problems that I had to resolve over time.

The first manifested in /var/webmin/miniserv.error:
[02/May/2006:05:48:40 -0700] Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (@INC contains: /usr/local/webmin /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at (eval 2) line 1.

No problem, this was a fresh install. I simply downloaded and installed the correct module from CPAN.

If I recall correctly, the problem seemed to be resolved. After a reboot, or a restart of the webmin service, the "su: incorrect password" returned. I rechecked the logs:
[02/May/2006:06:02:23 -0700] PAM test failed - maybe /etc/pam.d/webmin does not exist
[02/May/2006:06:05:06 -0700] miniserv.pl started
[02/May/2006:06:05:06 -0700] PAM test failed - maybe /etc/pam.d/webmin does not exist
[21/May/2006:05:12:35 -0700] miniserv.pl started

This sucked. I know very little about specifics of PAM. Fortunately, Webmin itself is able to create the proper module. Simply click the "System" tab, select "PAM Authentication", select "Add a new PAM service", and type in "Webmin" for Service Name, and click "Create." The default setup seems to work well enough for me. Again, the problem seemed resolved. However, a short time later - the dreaded "su: incorrect password" returned.

I was finally able to temporarily cause and solve the problem but running Webmin's setup shell script, and then starting and stopping the service. The shell script properly sets the permissions on the files and allows for normal usage, but as soon as the service is stopped and restarted, the "Command Shell" module becomes useless.

I then had to look into another subject I had no knowledge of, SELinux. I've allowed Fedora to install SELinux off and on since version 3. I've always assumed it's caused me problems, but in reality - it hasn't. The default install of SELinux is pretty problem free, you just have to be aware it needs to know how permissive you want it to be with standard services (like HTTP, FTP). For non standard services, like Webmin, it probably doesn't care - until it notices changes to files may be occurring.

I don't really know what the problem really ever was, but it seems to have been resolved with:
fixfiles check

It produced the following observations regarding webmin in my system log:
Jun 19 09:38:01 sonnik setfiles: relabeling /etc/webmin/miniserv.conf from root:object_r:tmp_t to system_u:object_r:etc_t
Jun 19 09:38:01 sonnik setfiles: relabeling /etc/webmin/file/trust.dir from system_u:object_r:etc_runtime_t to system_u:object_r:etc_t
Jun 19 09:38:01 sonnik setfiles: relabeling /etc/webmin/file/trust.pag from system_u:object_r:etc_runtime_t to system_u:object_r:etc_t
Jun 19 09:38:01 sonnik setfiles: relabeling /etc/webmin/updown/config from system_u:object_r:etc_runtime_t to system_u:object_r:etc_t
Jun 19 09:38:02 sonnik setfiles: relabeling /etc/pam.d/webmin from root:object_r:etc_runtime_t to system_u:object_r:etc_t

After that, I've been able to restart the service and the machine and have Webmin's "Command Shell" work as I need it to.