[Bug 223719] New: After editing the sudoers file with yast, kdesu ceased to work
https://bugzilla.novell.com/show_bug.cgi?id=223719 Summary: After editing the sudoers file with yast, kdesu ceased to work Product: openSUSE 10.2 Version: RC 1 Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: amantia@kde.org QAContact: jsrain@novell.com I added some commands for my users so I can save some time to execute them as root in the new Yast sudo module, and since then the kdesu ceases to work, giving either Invalid password, or Conversation with su failed errors. I have an old sudoers file from 10.1 and tried to compare them, and couldn't find what can cause the error. Attached are the two files (one created by Yast which doesn't work and the one which works), but with modified user name and commands. If needed I can send in private or in a secure form the original files. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #1 from amantia@kde.org 2006-11-25 02:16 MST ------- Created an attachment (id=106916) --> (https://bugzilla.novell.com/attachment.cgi?id=106916&action=view) The good file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #2 from amantia@kde.org 2006-11-25 02:17 MST ------- Created an attachment (id=106917) --> (https://bugzilla.novell.com/attachment.cgi?id=106917&action=view) The problematic file generated by YaST2 I simply added a new user and the commands to be executed in the YaST2 sudo interface. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 mhorvath@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |amantia@kde.org ------- Comment #3 from mhorvath@novell.com 2006-11-27 15:49 MST ------- Please attach your yast log files. http://en.opensuse.org/Bugs/YaST Thank you. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 amantia@kde.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|amantia@kde.org | ------- Comment #4 from amantia@kde.org 2006-11-28 01:15 MST ------- See https://bugzilla.novell.com/show_bug.cgi?id=223576. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 chrubis@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |kmachalkova@novell.com |screening@forge.provo.novell| |.com | Status|ASSIGNED |NEW -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 kmachalkova@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #5 from kmachalkova@novell.com 2006-12-05 08:46 MST ------- Uff, this is somehow difficult to reproduce without having access to the real system with real data. I can't see anything suspicious nor in the file, neither the logs, even visudo in checking mode parses the file created by YaST correctly. The first thing I would suggest is to remove any /opt/kde*/bin command from your configuration and see if the problem persists. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 kmachalkova@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |amantia@kde.org ------- Comment #6 from kmachalkova@novell.com 2006-12-06 03:13 MST ------- .. or try to add this line 'Defaults targetpw' to your configuration (yast2-sudo deletes it by default) and let me know if kdesu still doesn't work -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 amantia@kde.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|amantia@kde.org | ------- Comment #7 from amantia@kde.org 2006-12-06 03:20 MST ------- Adding 'Defaults targetpw' seems to help. :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 kmachalkova@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |kde-maintainers@suse.de ------- Comment #8 from kmachalkova@novell.com 2006-12-06 06:13 MST ------- What 'targetpw' option does is, that it prompts for password of the user specified by -u flag i.e. if you do 'sudo -u tux rm -rf /', it will ask for the password of user tux. If there's no -u flag, it asks for root password. In the default configuration shipped with SUSE sudo package, 'targetpw' option is on. When 'targetpw' option is off (and YaST module turns it off by default), you are prompted for your own password when trying to execute command as other user, unless NOPASSWD: flag is set (then no password is needed). Regarding your configuration (without 'targetpw' option), it seems to be the one kdesu is not able to cope with. Kde-maintainers, can you help here ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 dmueller@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|kde-maintainers@suse.de |amantia@kde.org ------- Comment #9 from dmueller@novell.com 2006-12-06 06:51 MST ------- does it work if you type your own password in the kdesu dialog instead of the target pw (the root pw) ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 amantia@kde.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|amantia@kde.org | ------- Comment #11 from amantia@kde.org 2006-12-06 07:09 MST ------- I was too quick with #7. "targetpw" doesn't make any difference with SUSE's KDE (and I tried with the stock KDE, where it works with or without targetpw and both with mine or the yast version of sudoers). The SUSE version of kdesu fails with targetpw as well. For Dirk: no, it doesn't matter if I enter my password instead of root's one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #13 from amantia@kde.org 2006-12-06 07:29 MST ------- I just realized that root gets this mails after each try: stein : Dec 6 16:05:55 : user : user NOT in sudoers ; TTY=pts/13 ; PWD=/home/user ; USER=root ; COMMAND=/opt/kde3/bin/kdesu_stub - Indeed "user" is not in sudoers, but it shouldn't matter as I try to start a different application (like yast2) than the ones listed in the sudoers file. BTW, when there are mail from the day I reported and there the "user" IS the one from the sudoers file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 kmachalkova@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kmachalkova@novell.com |kde-maintainers@suse.de Status|ASSIGNED |NEW ------- Comment #15 from kmachalkova@novell.com 2006-12-06 09:49 MST ------- OK, I can have yast2-sudo not to remove targetpw, or have user decide if he/she really wants to remove targetpw line, but that still doesn't explain non-functional kdesu. According to comment #11, upstream kdesu works with both config files mentioned here -> reassigning to kde-maintainers. If there's anything that can be done on YaST side in this issue, please assign back to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 dmueller@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kmachalkova@novell.com ------- Comment #16 from dmueller@novell.com 2006-12-07 01:49 MST ------- First of all: Yast should not remove the targetpw lines, and it should not remove environment variables to keep. I can not reproduce the non-functional kdesu, but I'm afraid that Andras confused me with his mangled sudoers and sed'ed logfiles. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 scx.dps@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |scx.dps@gmail.com OS/Version|Other |SuSE Other Platform|x86-64 |i686 Version|RC 1 |Final ------- Comment #17 from scx.dps@gmail.com 2006-12-29 00:58 MST ------- I tried several combinations and the only reliable workaround I found was: ALL ALL=(ALL) ALL --- or --- %users ALL=(ALL) ALL Of course it should be used together with: Defaults targetpw --- Notes: - The targetpw option alone didn't make any difference here. - No difference using user's passwd or using root's passwd. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 kmachalkova@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kde-maintainers@suse.de |kmachalkova@novell.com Status|NEW |ASSIGNED ------- Comment #18 from kmachalkova@novell.com 2007-01-02 02:28 MST ------- Uh, then this is probably purely yast2-sudo problem :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 kmachalkova@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |security-team@suse.de ------- Comment #19 from kmachalkova@novell.com 2007-01-02 02:38 MST ------- Security team, what is then correct configuration here ? Should these lines: Defaults targetpw ALL ALL=(ALL) ALL stay in sudoers configuration file ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #20 from scx.dps@gmail.com 2007-01-02 13:40 MST ------- I guess, although it looks creepy even to me, the user would be prompted for root's passwd, such a case it should be fine. We should just take care in making YaST-sudo to default to create rules for user's using their own passwd instead of root's. Defaults targetpw %users ALL=(ALL) ALL Any better idea? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #21 from benji.weber@gmail.com 2007-01-03 14:04 MST ------- This is becoming one of the most frequently asked questions about 10.2 on IRC. Any chance of having it fixed with an online update? It is affecting many users who see the new module and have a look but don't change anything, thinking they are safe, while yast removes the lines that kdesu requires. On a clean system /etc/sudoers contains the following (uncommented) lines: Defaults always_set_home Defaults env_reset Defaults targetpw ALL ALL=(ALL) ALL root ALL=(ALL) ALL Now yast -> Security and Users -> Sudo -> Edit -> Ok -> Finish (User thinks they have changed nothing) The /etc/sudoers line now only contains: Defaults always_set_home Defaults env_reset root ALL = (ALL) ALL kdesu will now no longer work. resetting to the original content will fix kdesu. For those reading this with this problem: To remove the problem with the sudo yast module simply comment out lines 88,89,90,266 in /usr/share/YaST2/modules/Sudo.ycp and issue "ycp -c ./Sudo.ycp" as root in /usr/share/YaST2/modules To get back a default (working) sudoers file paste the following into a terminal as root: cat > /etc/sudoers <<\EOF Defaults always_set_home Defaults env_reset Defaults targetpw ALL ALL=(ALL) ALL root ALL=(ALL) ALL EOF Whether it is best to "fix" the yast sudo module or kdesu I don't know, but I think this issue is worthy of an online update, as it is affecting many users. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 kmachalkova@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|security-team@suse.de | ------- Comment #22 from kmachalkova@novell.com 2007-01-04 05:57 MST ------- OK, yast2-sudo no longer removes Defaults targetpw ALL ALL=(ALL) ALL (I'm just undecided yet whether to make ALL=ALL rule visible in UI, thus let users edit it and break their kdesu again ...) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 kmachalkova@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |hmuelle@novell.com ------- Comment #23 from kmachalkova@novell.com 2007-01-04 06:01 MST ------- Harald, shall we make this fix an online update? I guess it's needed (see e.g. comment #21), but ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #24 from meissner@novell.com 2007-01-04 06:47 MST ------- i would suggest an online update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 hmuelle@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|hmuelle@novell.com |ast@novell.com ------- Comment #25 from hmuelle@novell.com 2007-01-04 07:48 MST ------- Anja please provide a SWAMPid. We will update for 10.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #26 from ast@novell.com 2007-01-05 04:38 MST ------- For sure: SWAMPID is 7659 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ast@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|ast@novell.com | ------- Comment #27 from ast@novell.com 2007-01-05 04:42 MST ------- removing needinfo -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #28 from kmachalkova@novell.com 2007-01-05 06:05 MST ------- Packages submitted - yast2-sudo 2.15.0 for factory, 2.14.3 for 10.2 online update (which will be hopefully released soon). I'll close this bug as fixed as soon as the patch is available. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ast@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #29 from ast@novell.com 2007-01-09 10:14 MST ------- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223719 ------- Comment #30 from jkalcic@nisis.it 2007-01-22 16:12 MST ------- Just a note. Maybe obvious but I'm not positive. There is the problem also if you've never touched the yast-sudo module. Comment the line "Defaults targetpw" with an editor is enough to reproduce it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com