"su -" zegt: Incorrect password... zonder te vragen

-rwsr-xr-x  1 root root 30472 May 19 20:27 /bin/su

#%PAM-1.0

auth       sufficient   /lib/security/pam_rootok.so

# If you want to restrict users begin allowed to su even more,
# create /etc/security/suauth.allow (or to that matter) that is only
# writable by root, and add users that are allowed to su to that
# file, one per line.
#auth       required     /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow

# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth       sufficient   /lib/security/pam_wheel.so use_uid trust

# Alternatively to above, you can implement a list of users that do
# not need to supply a passwd with a list.
#auth       sufficient   /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass

# Comment this to allow any user, even those not in the 'wheel'
# group to su
auth       required     /lib/security/pam_wheel.so use_uid

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_env.so
session    optional     /lib/security/pam_xauth.so

#
# /etc/login.defs - Configuration control definitions for the login package.
#
# All items are optional - if not specified then the described action or
# option will be inhibited.
#
# Comment lines (lines beginning with "#") and blank lines are ignored.
#

#
# Delay in seconds before being allowed another attempt after a login failure
#
FAIL_DELAY              3

#
# Enable logging and display of /var/log/faillog login failure info.
#
FAILLOG_ENAB            yes

#
# Enable display of unknown usernames when login failures are recorded.
#
LOG_UNKFAIL_ENAB        no

#
# Enable logging and display of /var/log/lastlog login time info.
#
LASTLOG_ENAB            yes

#
# If defined, ":" delimited list of "message of the day" files to
# be displayed upon login.
#
MOTD_FILE       /etc/motd
#MOTD_FILE      /etc/motd:/usr/lib/news/news-motd

#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100  tty01".
#
TTYTYPE_FILE    /etc/ttytype

#
# If defined, login failures will be logged here in a utmp format.
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE       /var/log/btmp

#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE  .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins

#
# The default PATH settings.
#
ENV_PATH                /usr/local/bin:/usr/bin:/bin

#
# The default PATH settings for root:
#
ENV_ROOTPATH            /sbin:/bin:/usr/sbin:/usr/bin

#
# The default PATH settings when su'ing to root:
#
ENV_SUPATH              /sbin:/bin:/usr/sbin:/usr/bin

#
# Terminal permissions
#
#       TTYGROUP        Login tty will be assigned this group ownership.
#       TTYPERM         Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
TTYGROUP        tty
TTYPERM         0600

#
# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                   100
GID_MAX                 60000

#
# Max number of login retries if password is bad
#
LOGIN_RETRIES        3

#
# Max time in seconds for login
#
LOGIN_TIMEOUT           60

#
# Require password before chfn/chsh can make any changes.
#
CHFN_AUTH               yes

#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone).  If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
CHFN_RESTRICT           rwh

May 19 21:49:28 [su] PAM unable to dlopen(/lib/security/pam_rootok.so)
May 19 21:49:28 [su] PAM [dlerror: /lib/security/pam_rootok.so: cannot open shared object file: No such file or directory]
May 19 21:49:28 [su] PAM adding faulty module: /lib/security/pam_rootok.so
May 19 21:49:28 [su] PAM unable to dlopen(/lib/security/pam_wheel.so)
May 19 21:49:28 [su] PAM [dlerror: /lib/security/pam_wheel.so: cannot open shared object file: No such file or directory]
May 19 21:49:28 [su] PAM adding faulty module: /lib/security/pam_wheel.so
May 19 21:49:28 [su] PAM unable to dlopen(/lib/security/pam_stack.so)
May 19 21:49:28 [su] PAM [dlerror: /lib/security/pam_stack.so: cannot open shared object file: No such file or directory]
May 19 21:49:28 [su] PAM adding faulty module: /lib/security/pam_stack.so
May 19 21:49:28 [su] PAM unable to dlopen(/lib/security/pam_env.so)
May 19 21:49:28 [su] PAM [dlerror: /lib/security/pam_env.so: cannot open shared object file: No such file or directory]
May 19 21:49:28 [su] PAM adding faulty module: /lib/security/pam_env.so
May 19 21:49:28 [su] PAM unable to dlopen(/lib/security/pam_xauth.so)
May 19 21:49:28 [su] PAM [dlerror: /lib/security/pam_xauth.so: cannot open shared object file: No such file or directory]
May 19 21:49:28 [su] PAM adding faulty module: /lib/security/pam_xauth.so
May 19 21:49:28 [su] PAM unable to dlopen(/lib/security/pam_deny.so)
May 19 21:49:28 [su] PAM [dlerror: /lib/security/pam_deny.so: cannot open shared object file: No such file or directory]
May 19 21:49:28 [su] PAM adding faulty module: /lib/security/pam_deny.so

$ cat /proc/sys/fs/file-nr
5400    0       203584
$ cat /proc/sys/fs/file-max
203584

find /proc -name fd | xargs ls | wc -l
4587

$ echo 1000000 > file-max
$ cat file-nr
5400    0       1000000

perl -e 'for(my $FH=11; $FH<111; $FH++) { open("FILE_HANDLE${FH}", ">/dev/null") || die "$!"; sleep(1); }'

$ ls -l /lib/security/
total 2293
-rwxr-xr-x  1 root root  19880 May 19 20:33 pam_access.so
-rwxr-xr-x  1 root root   8144 May 19 20:33 pam_chroot.so
-rwxr-xr-x  1 root root 116600 May 19 20:33 pam_console.so
-rwxr-xr-x  1 root root  99952 May 19 20:33 pam_console_apply_devfsd.so
-rwxr-xr-x  1 root root  47504 May 19 20:33 pam_cracklib.so
-rwxr-xr-x  1 root root   8320 May 19 20:33 pam_debug.so
-rwxr-xr-x  1 root root   4976 May 19 20:33 pam_deny.so
-rwxr-xr-x  1 root root  13104 May 19 20:33 pam_env.so
drwxr-xr-x  2 root root     80 May 19 20:33 pam_filter
-rwxr-xr-x  1 root root  12632 May 19 20:33 pam_filter.so
-rwxr-xr-x  1 root root   7864 May 19 20:33 pam_ftp.so
-rwxr-xr-x  1 root root  15640 May 19 20:33 pam_group.so
-rwxr-xr-x  1 root root   9408 May 19 20:33 pam_issue.so
-rwxr-xr-x  1 root root  11568 May 19 20:33 pam_lastlog.so
-rwxr-xr-x  1 root root  20840 May 19 20:33 pam_limits.so
-rwxr-xr-x  1 root root  18432 May 19 20:33 pam_listfile.so
-rwxr-xr-x  1 root root  10984 May 19 20:33 pam_localuser.so
-rwxr-xr-x  1 root root  12472 May 19 20:33 pam_mail.so
-rwxr-xr-x  1 root root  20216 May 19 20:33 pam_mkhomedir.so
-rwxr-xr-x  1 root root   5856 May 19 20:33 pam_motd.so
-rwxr-xr-x  1 root root   8712 May 19 20:33 pam_nologin.so
-rwxr-xr-x  1 root root   5368 May 19 20:33 pam_permit.so
-rwxr-xr-x  1 root root   8152 May 19 20:33 pam_postgresok.so
-rwxr-xr-x  1 root root  15512 May 19 20:33 pam_rhosts_auth.so
-rwxr-xr-x  1 root root   5560 May 19 20:33 pam_rootok.so
-rwxr-xr-x  1 root root   6840 May 19 20:33 pam_rps.so
-rwxr-xr-x  1 root root  10328 May 19 20:33 pam_securetty.so
-rwxr-xr-x  1 root root   9080 May 19 20:33 pam_shells.so
-rwxr-xr-x  1 root root 810416 Jan 15 15:35 pam_smbpass.so
-rwxr-xr-x  1 root root  12456 May 19 20:33 pam_stack.so
-rwxr-xr-x  1 root root  12624 May 19 20:33 pam_stress.so
-rwxr-xr-x  1 root root  19768 May 19 20:33 pam_succeed_if.so
-rwxr-xr-x  1 root root  17152 May 19 20:33 pam_tally.so
-rwxr-xr-x  1 root root  11488 May 19 20:33 pam_time.so
-rwxr-xr-x  1 root root  19816 May 19 20:33 pam_timestamp.so
-rwxr-xr-x  1 root root  51096 May 19 20:33 pam_unix.so
lrwxrwxrwx  1 root root     11 May 19 20:33 pam_unix_acct.so -> pam_unix.so
lrwxrwxrwx  1 root root     11 May 19 20:33 pam_unix_auth.so -> pam_unix.so
lrwxrwxrwx  1 root root     11 May 19 20:33 pam_unix_passwd.so -> pam_unix.so
lrwxrwxrwx  1 root root     11 May 19 20:33 pam_unix_session.so -> pam_unix.so
-rwxr-xr-x  1 root root 737664 May 19 20:33 pam_userdb.so
-rwxr-xr-x  1 root root   6800 May 19 20:33 pam_warn.so
-rwxr-xr-x  1 root root  15576 May 19 20:33 pam_wheel.so
-rwxr-xr-x  1 root root  18400 May 19 20:33 pam_xauth.so