Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 158179 - sudo does not respect MIT-MAGIC-COOKIE
Summary: sudo does not respect MIT-MAGIC-COOKIE
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: FC4Update
TreeView+ depends on / blocked
 
Reported: 2005-05-19 12:40 UTC by Didier
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: pam-0.79-9.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-01 08:30:02 UTC


Attachments (Terms of Use)
/etc/sudoers (deleted)
2005-05-20 08:46 UTC, Didier
no flags Details
sudo strace (deleted)
2005-05-24 09:11 UTC, Didier
no flags Details

Description Didier 2005-05-19 12:40:28 UTC
Description of problem:

After upgrading from FC4t2 to FC4t3, I am unable to open sudo-invoked root
terminals in an X session.


Version-Release number of selected component (if applicable):

xorg-x11-6.8.2-30
gdm-2.6.0.8-12
sudo-1.6.8p8-1


How reproducible:

Always


Steps to Reproduce:
1. Login in X as normal (non-root) user
2. $ sudo /bin/su - root -c gnome-terminal

  
Actual results:

No root terminal opens.

* shell output :

Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key

(gnome-terminal:22862): Gtk-WARNING **: cannot open display:

* /var/log/gdm/:0.log output :

AUDIT: Thu May 19 14:34:23 2005: 3820 X: client 36 rejected from local host
  Auth name: MIT-MAGIC-COOKIE-1 ID: -1


Expected results:

A root gnome-terminal should open, as when invoking :
$ /bin/su - root -c gnome-terminal

Additional info:

- This worked perfectly in FC3 and up to and including FC4t2 ;
- SELinux is not enabled ;
- please note that due to bug #158176, I am unable to strace the process.

Comment 1 Karel Zak 2005-05-19 22:03:28 UTC
Can you try commands:

  $ xauth info
  $ xauth list "$DISPLAY"
  $ sudo su - root -c "xauth info"
  $ sudo su - root -c set | grep XAUTHORITY

BTW, I can reproduce it on FC3 by command:

   $ sudo su - root -c "unset XAUTHORITY; gnome-terminal"
   Xlib: connection to ":0.0" refused by server
   Xlib: No protocol specified

   (gnome-terminal:12431): Gtk-WARNING **: cannot open display:

-- I have sudo-1.6.8p8-1 in FC3 and it works fine.

I think there's probably a problem with sudo env reset or with PAM.

Comment 2 Didier 2005-05-20 07:35:51 UTC
didier@dmbr042 ~$ xauth info
Authority file:       /home/didier/.Xauthority
File new:             no
File locked:          no
Number of entries:    3
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

didier@dmbr042 ~$ xauth list "$DISPLAY"
dmbr042.fvms.UGent.be/unix:0  MIT-MAGIC-COOKIE-1  a31e69866f1ee0da11db667fa59074de

didier@dmbr042 ~$ sudo su - root -c "xauth info"
Authority file:       /root/.Xauthority
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

didier@dmbr042 ~$ sudo su - root -c set | grep XAUTHORITY

(last command returns nothing)



pam versions :

pam_ccreds-1-6
pam_smb-1.1.7-6
pam-0.79-8
pam_mount-0.9.24-1
pam_passwdqc-0.7.6-1
pam_krb5-2.1.5-1
pam-devel-0.79-8


Comment 3 Karel Zak 2005-05-20 08:02:34 UTC
It's bad, sudo su - root -c "xauth info" should be returns path to ~/didier.
I have last question: can you try it without sudo? -- it means:
 su - root -c gnome-terminal (or su - -c "xauth info"). Thanks.


Comment 4 Didier 2005-05-20 08:19:26 UTC
1.

$ su - root -c gnome-terminal

Works perfectly ; in the newly opened terminal :

# xauth info
Authority file:       /root/.xauthqnPJHY
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

# ls -al /root/.xauthqnPJHY
-rw-------  1 root root 66 mei 19 14:12 /root/.xauthqnPJHY

# xauth list "$DISPLAY"
dmbr042.fvms.UGent.be/unix:0  MIT-MAGIC-COOKIE-1 a31e69866f1ee0da11db667fa59074de



2.

$ su - -c "xauth info"
Password:
Authority file:       /root/.xauthVqEQ7F
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

# ls -al /root/.xauthVqEQ7F
ls: /root/.xauthVqEQ7F: No such file or directory




Comment 5 Karel Zak 2005-05-20 08:21:02 UTC
I forgot, please send your '/etc/sudoers'. 

Comment 6 Didier 2005-05-20 08:46:41 UTC
Created attachment 114618 [details]
/etc/sudoers

Comment 7 Didier 2005-05-24 09:11:01 UTC
Created attachment 114765 [details]
sudo strace

As bug #158176 has been fixed in the latest kernel, I'm including an strace log
of :

$ sudo su - root -c "strace -o/root/gnome-terminal.strace -f gnome-terminal"
Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key

(gnome-terminal:26591): Gtk-WARNING **: cannot open display:

Comment 8 Tomas Mraz 2005-05-24 10:26:14 UTC
This is known bug but it will be fixed after the FC4 release as a pam update.


Comment 10 Michael Wyraz 2005-07-01 08:25:16 UTC
The Bug is still pressent in FC4 release and should be updated.

Comment 11 Tomas Mraz 2005-07-01 08:30:02 UTC
Update to pam package in updates-testing (audit-libs update needed as well)
which should resolve this issue.


Comment 12 Didier 2005-07-05 21:11:04 UTC
Confirmed fixed in pam-0.79-9.1 ; thanks.


Note You need to log in before you can comment on or make changes to this bug.