Bug 110369

Summary: gtk_init_check () doesn't handle xauth failures
Product: Red Hat Enterprise Linux 3 Reporter: Matthew Galgoci <mgalgoci>
Component: gtk2Assignee: Matthias Clasen <mclasen>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: aleksey, mitr, nalin, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-19 19:32:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Galgoci 2003-11-18 21:48:52 UTC 
Description of problem:

sudo does not use pam_xauth in its pam config file so that when
ssh'd in remotely to a server and you type sudo su -  and try
and run an x client (such as up2date) you get something like this:

[root@pedro root]# up2date -l
X11 connection rejected because of wrong authentication.
[root@pedro root]# echo $DISPLAY
localhost:15.0

or

[mgalgoci@razor mgalgoci]$ ssh pedro.ges.redhat.com
mgalgoci@pedro's password:
[mgalgoci@pedro mgalgoci]$ sudo su -
[root@pedro root]# xeyes
X11 connection rejected because of wrong authentication.
X connection to localhost:11.0 broken (explicit kill or server shutdown).
[root@pedro root]# echo $DISPLAY
localhost:11.0

Not that I really wanted to use the gui up2date client in the first
place, it is nevertheless a bug in sudo's configuration.

Steps to Reproduce:
1. ssh to a machine as a user
2. sudo su -  to root
3. try to run an X application.
  
Actual results:

X authentication is rejected.

Expected results:

My xauth credential should be forwarded by pam_xauth to my root
session and my X client should authenticate run.
Comment 1 Thomas Woerner 2004-03-18 15:15:12 UTC 
It is not a good idea to give access to the X11 session per se.
If the user has restricted access to not-X11 programs, he can get
access to the full X11 session with this.

Closing as won't fix.
Comment 2 Matthew Galgoci 2004-05-17 19:45:54 UTC 
Usermod is apparently at fault here because /usr/bin/up2date is a
symlink to consolehelper.

Alternatively, consolehelper should not fail critically if it barfs on
xauth, and instead should fall back to console mode.
Comment 3 Matthew Galgoci 2004-05-17 19:46:48 UTC 
This should probably be re-assigned to nalin :)
Comment 4 Miloslav Trmač 2007-03-07 17:09:40 UTC 
When an X11 session is rejected as described in comment 0, gtk_init_check ()
or something it uses calls exit (1) instead of returning FALSE.
Comment 5 RHEL Program Management 2007-10-19 19:32:58 UTC 
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.