I Can't login as root with su command, but I can with SSH
In your comment, you said that /bin/su has the following mode/owner:
-rwxrwxrwx. 1 root root 30092 Jun 22 2012 /bin/su
There are two problems here.
it needs to have the set-uid bit turned on, so that it always runs with root permissions, otherwise when an ordinary (non-root) user runs it, it will not have access to the password info in
/etc/shadownor the ability to set the userid to the desired new user.it ought to have the
groupandotherwrite bits turned off, so that other users cannot alter it.
To fix this, login as root - you said you can do this with ssh- and type
chmod 4755 /bin/su
or, alternatively,
chmod u+s,g-w,o-w /bin/su
(The standards document for chmod goes into more detail about what kinds of arguments it takes.) This will restore the mode bits to the way they were when the operating system was first installed. When you list this file, it ought to look like this:
-rwsr-xr-x. 1 root root 30092 Jun 22 2012 /bin/su
As @G-Man noted, files that are mode 777 could be overwritten by untrusted users, and if that's the case, you may want to reinstall them from the distribution medium or backups.
1. wheel group?
This is likely because your useid is not in the wheel group. On Red Hat distros you can explicitly disallow users who are not in this group from running the su command.
Here's what the su PAM configuration looks like by default:
$ more /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
This line can limit access to the su command to users in the wheel group:
auth required pam_wheel.so use_uid
From the sound of it this is enabled and your userid isn't allowed to operate the su command.
SSH works since it goes through a different PAM mechanism. SSH also has it's own facilities for limiting access to root logins too. Root logins is typically permitted by default, at least on most of the Red Hat distros:
$ sudo grep PermitRoot /etc/ssh/sshd_config
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
Even though the above is commented out, it's the default, and is how OpenSSH shows it's the default setting in the configs.
Working with this?If your system is configured like this, you can add your username to the wheel group.
$ useradd -G wheel saml
After logging out and back in:
$ groups
saml wheel
NOTE: My userid is "saml" above.
2. Permissions right on su?
Check that the executable is owned by root.
$ type -a su
su is /usr/bin/su
su is /bin/su
$ ls -l /usr/bin/su /bin/su
-rwsr-xr-x. 1 root root 32064 Jan 13 06:31 /bin/su
-rwsr-xr-x. 1 root root 32064 Jan 13 06:31 /usr/bin/su
Also confirm that the executables have their s bits enabled. This makes them setuid, so that when they're executed they run as their own, root.
3. What do the logs say?
When you attempt to do the su - command you should see entries in /var/log/secure about the attempt.
$ sudo grep su /var/log/secure | grep -v sudo
Feb 23 23:31:26 greeneggs su: pam_unix(su-l:session): session opened for user root by saml(uid=0)
Feb 24 00:27:32 greeneggs su: pam_unix(su-l:session): session closed for user root
Feb 24 01:34:12 greeneggs su: pam_unix(su-l:session): session opened for user root by saml(uid=1000)
Feb 24 01:34:26 greeneggs su: pam_unix(su-l:session): session closed for user root
Consult this log to see if you get any additional info.
4. Are you sure the password isn't the problem?
When I attempt to login using su - I get the following when I give it an incorrect password:
$ su -
Password:
su: Authentication failure
$
I'd try creating another account and seeing if this secondary account can run su - successfully.