[Bug 948773] New: pam_wheel broken
http://bugzilla.suse.com/show_bug.cgi?id=948773 Bug ID: 948773 Summary: pam_wheel broken Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: aj@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- With openSUSE Leap 42.1 Beta wheel support does not work. I have: # id aj uid=659(aj) gid=50(suse) groups=10(wheel),402(kvm),403(qemu),492(libvirt),10056(approve),10043(prodmgmt),10044(patches),1018(lxbuch),10035(vmware),22222(vpn),10062(gccmaint),1004(english),50(suse) # cat /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_wheel.so trust auth include common-auth account sufficient pam_rootok.so account include common-account password include common-password session include common-session session optional pam_xauth.so But su asks for a password. This works on 13.2. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=948773
Andreas Jaeger
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c4
--- Comment #4 from Thorsten Kukuk
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c5
--- Comment #5 from Andreas Jaeger
From gnome-terminal:
2015-10-07T15:17:41.426294+02:00 byrd su: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/659/keyring/control 2015-10-07T15:17:41.426749+02:00 byrd su: gkr-pam: couldn't unlock the login keyring. 2015-10-07T15:17:41.427334+02:00 byrd su: (to root) aj on pts/3 2015-10-07T15:17:41.427695+02:00 byrd su: pam_limits(su-l:session): reading settings from '/etc/security/limits.conf' 2015-10-07T15:17:41.428004+02:00 byrd su: pam_unix(su-l:session): session opened for user root by (uid=659) 2015-10-07T15:17:41.428335+02:00 byrd su: pam_systemd(su-l:session): pam-systemd initializing 2015-10-07T15:17:41.428641+02:00 byrd su: pam_systemd(su-l:session): Asking logind to create session: uid=0 pid=4892 service=su-l type=x11 class=user desktop=gnome seat=seat0 vtnr=2 tty=pts/3 display= remote=no remote_user=aj remote_host= 2015-10-07T15:17:41.429952+02:00 byrd su: pam_systemd(su-l:session): Reply from logind: id=1740 object_path=/org/freedesktop/login1/session/_31740 runtime_path=/run/user/659 session_fd=5 seat=seat0 vtnr=2 original_uid=659
From xterm:
2015-10-07T15:18:30.230782+02:00 byrd su: (to root) aj on pts/9 2015-10-07T15:18:30.231282+02:00 byrd su: pam_limits(su-l:session): reading settings from '/etc/security/limits.conf' 2015-10-07T15:18:30.231607+02:00 byrd su: pam_unix(su-l:session): session opened for user root by aj(uid=659) 2015-10-07T15:18:30.231962+02:00 byrd su: pam_systemd(su-l:session): pam-systemd initializing 2015-10-07T15:18:30.232301+02:00 byrd su: pam_systemd(su-l:session): Asking logind to create session: uid=0 pid=4972 service=su-l type=x11 class=user desktop=gnome seat=seat0 vtnr=2 tty=pts/9 display= remote=no remote_user=aj remote_host= 2015-10-07T15:18:30.232728+02:00 byrd su: pam_systemd(su-l:session): Reply from logind: id=1740 object_path=/org/freedesktop/login1/session/_31740 runtime_path=/run/user/659 session_fd=5 seat=seat0 vtnr=2 original_uid=659 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c6
--- Comment #6 from Andreas Jaeger
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c7
--- Comment #7 from Thorsten Kukuk
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c8
--- Comment #8 from Andreas Jaeger
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c10
Thorsten Kukuk
Seems pam_wheel does not really give debug output:
It does. If there is no debug output, then it is not called.
gnome-terminal: 2015-10-07T16:29:55.485308+02:00 byrd su: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/659/keyring/control 2015-10-07T16:29:55.485942+02:00 byrd su: gkr-pam: couldn't unlock the login keyring. 2015-10-07T16:29:55.486666+02:00 byrd su: (to root) aj on pts/3 2015-10-07T16:29:55.487172+02:00 byrd su: pam_unix(su-l:session): session opened for user root by (uid=659)
The pam_wheel debug output is coming before the gnome keyring stuff. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c11
--- Comment #11 from Thorsten Kukuk
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c13
Andreas Jaeger
http://bugzilla.suse.com/show_bug.cgi?id=948773
Andreas Jaeger
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c14
--- Comment #14 from Dominique Leuenberger
Thorsten just debugged:
utmp entries are not written.
ok - now I think I know what we're seeing - that was originally done by gnome-pyt-helper, which is no longer available in GNOME 3.18 (but on Leap we ship GNOME 3.16) So, for LEAP, I consider this bug invalid unless it can be reproduced on a clean Leap install. For Tumbleweed, the bug is valid though - there we have GNOME Terminal 3.18 and vte 0.42, which misses the functionality. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c18
Thorsten Kukuk
And that entire code has not been touched since 2005 (last commit on pam_module_getlogin 2005-11-23 by Thorsten)
Why should somebody touch simple, working, bug-free code? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c19
--- Comment #19 from Thorsten Kukuk
So xterm is the odd one out :)
xterm is the correct one :) As you could see from aj's comment, there are more tools depending on correct utmp entries then only pam_wheel. Maybe today Desktop users don't care, but for SLES this could become a problem. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c20
Dominique Leuenberger
http://bugzilla.suse.com/show_bug.cgi?id=948773
http://bugzilla.suse.com/show_bug.cgi?id=948773#c21
Thorsten Kukuk
Which other tool?
All the ones reading utmp.
'who' is supposed to tell me who is logged in - not how many terminals a user has open
the behavior of who in the last 20 years was different.
you did not answer the question why gnomesu should not be allowed to make use of pam_wheel - it is not started as a terminal and would thus not be required to register in utmp.
Since I never wrote that gnomesu should not be allowed to make use of pam_wheel, I cannot answer that. Between, pam_wheel's 'use_uid' option has a complete different behavior as the default use of utmp and is no replacement. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com