Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 454361 - tlock -s doesn't work for root
Summary: tlock -s doesn't work for root
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: tlock
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: pjp
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-07 23:00 UTC by Milos Jakubicek
Modified: 2008-07-26 06:01 UTC (History)
2 users (show)

Fixed In Version: 1.4-1.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-15 12:18:59 UTC


Attachments (Terms of Use)
Patch setting correct tty for pam_securetty module (deleted)
2008-07-10 23:14 UTC, Milos Jakubicek
no flags Details | Diff

Description Milos Jakubicek 2008-07-07 23:00:14 UTC
Description of problem:

Unlocking a root terminal which has been previously locked using the system
password (tlock -s) doesn't work.

Version-Release number of selected component (if applicable):

tlock-1.3-1.fc9.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. Login as root.
2. Type "tlock -s".
3. Type root's password again to try unlocking (which fails).
  
Actual results:

"access denied, invalid password"

Expected results:

Terminal is unlocked again.

Additional info:

It DOES work for regular users, does NOT work only for root when using the "-s"
option. I've done some quick debugging, the reason seems to be in
pam_authenticate () which returns a value of 3 = PAM_SERVICE_ERR. Maybe this is
a PAM bug because for each try I get following line written to syslog:

Jul  7 15:59:06 localhost tlock: pam_securetty(login:auth): cannot determine
user's tty

(Again: this message doesn't appear when using tlock as regular user or as root
but without the "-s" option).

Comment 1 pjp 2008-07-10 09:38:51 UTC
  Hey Milos, thanks for the information.

I'm aware of this tlock behaviour, and am not really sure if it's a tlock bug.
I guess, it's something to do with the way Linux-PAM works. I tried to configure
pam_rootok.so(8) in the `/etc/pam.d/login' but didn't help as much.

I'm trying to find the appropriate solution for this.

Thank you!

Comment 2 pjp 2008-07-10 09:52:37 UTC
Also, though removing - "auth ... pam_securetty.so" - from /etc/pam.d/login 
solves the problem, I doubt if that's the way to go.

Comment 4 Milos Jakubicek 2008-07-10 23:14:19 UTC
OK, I spent half an hour in the PAM source code ending up in the second
paragraph in the article you pointed out:)

>"This module has no effect on non-root users and requires that the application
>fills in the PAM_TTY  item correctly."

All what needs to be done is set the tty using pam_set_item() -- see the
proposed patch I'm attaching.

Note: 

- Because pts/X is not included in /etc/securetty, if found, tty is set to
"console".
- I also removed one variable obviously not used, gcc displayed a warning about.
- Hope it will work fine:)

Comment 5 Milos Jakubicek 2008-07-10 23:14:27 UTC
Created attachment 311523 [details]
Patch setting correct tty for pam_securetty module

Comment 6 pjp 2008-07-11 05:29:53 UTC
  Hi Milos, thank you so much for the patch.

The patch looks okay to me, except that instead of "/dev/pts/", I think it'll do
with just "/dev/". Because "/dev/pts/" you see on X terminals, where as on text
terminals you get "/dev/tty[1-6]". I'll apply it over the week-end, hope that's
okay.

Thank you! :)

Comment 7 Milos Jakubicek 2008-07-11 07:48:06 UTC
Hi,

(In reply to comment #6)
>   Hi Milos, thank you so much for the patch.
> 
> The patch looks okay to me, except that instead of "/dev/pts/", I think it'll do
> with just "/dev/".

Hm, I don't think this is a good idea: if you change /dev/pts to /dev only then
you will *always* use "console" -- I can hardly imagine that ttyname() returns
anything not prefixed by /dev.

> Because "/dev/pts/" you see on X terminals, where as on text
> terminals you get "/dev/tty[1-6]".

Yes, but that's not a problem because all of those /dev/ttyX are included in
/etc/securetty by default (as opposed to /dev/pts/X). Hence the proposed
solution works both on /dev/ttyX and /dev/pts/X (which will be translated in to
"console").

>I'll apply it over the week-end, hope that's
> okay.
> 
> Thank you! :)

You're welcome;)

Comment 8 pjp 2008-07-11 19:46:29 UTC
  Hello Milos :)

I did apply that patch. Please have a look at the latest files at

SPEC: http://pjp.dgplug.org/tools/tlock.spec
SORC: http://pjp.dgplug.org/tools/tlock-1.4.tar.gz
SRPM: http://pjp.dgplug.org/tools/tlock-1.4-1.fc8.src.rpm

Hey, now how do I push these changes to the main repositories(ie. FC-[89],
EL-[45], and devel) again?

Thank you so much!

Comment 9 Milos Jakubicek 2008-07-11 21:46:13 UTC
Fine, please follow:

http://fedoraproject.org/wiki/PackageMaintainers/UpdatingPackageHowTo

Some short hints: 
- in rawhide (devel) you do not release updates, any new build is by default
automatically included into repository.
- you can create an update either using web interface
(https://admin.fedoraproject.org/updates) or using "make update" in the branch
directory (F-8, F-9...). 
- you can (and should) associate bugs which should be resolved by the newly
created update to it (and if using web interface, you can also set the bug
reports to be autoclosed when the update is pushed into repository; make update
currently doesn't support this yet).

Comment 10 pjp 2008-07-12 13:04:48 UTC
  Hi Milos, thanks for those links.

I was following the first link, I already have the checked out sources of
tlock-1.3 from the *first* build, but none of the make files there have target
`new-sources', so when I say 

   (~/src/fedora/tlock)$ make new-sources FILES="tlock-1.4.tar.gz"

make stops saying: "no rule to make target new-sources". Could you please help?

Thank you!

Comment 11 Milos Jakubicek 2008-07-12 13:20:03 UTC
Just cd to the branch directory first, e.g. ~/src/fedora/tlock/devel in your
case. This must be repeated for every branch you want to update with the new
sources (because you can have different sources for different branches of course).

(I confirm this is not very clear from the wiki, I'll probably add a short
comment there.)

Comment 12 Fedora Update System 2008-07-12 18:12:01 UTC
tlock-1.4-1.fc8 has been submitted as an update for Fedora 8

Comment 13 Fedora Update System 2008-07-12 18:13:51 UTC
tlock-1.4-1.fc9 has been submitted as an update for Fedora 9

Comment 14 Fedora Update System 2008-07-15 12:18:57 UTC
tlock-1.4-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2008-07-15 12:20:10 UTC
tlock-1.4-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2008-07-26 06:01:11 UTC
tlock-1.4-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.