Bug 1409874

Summary: Opening Users page immediately removes me from group wheel (sudo access)!
Product: [Fedora] Fedora Reporter: Alan Jenkins <alan.christopher.jenkins>
Component: control-centerAssignee: Control Center Maintainer <control-center-maint>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 25CC: control-center-maint, fmuellner, mattdm, mkasik, ofourdan, rstrode, tiagomatos
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-03 20:03:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alan Jenkins 2017-01-03 16:54:18 UTC 
Description of problem:

Opening the Users page of Gnome Settings immediately removes me from group wheel.

This is Undesirable, it basically changes my user from an Administrator account type to a Standard account.

I can no longer use `sudo`, in fact there is not a single account left on my system that I can use to run `sudo` or otherwise make system changes.

Version-Release number of selected component (if applicable): control-center-3.22.1-2.fc25.x86_64


How reproducible:

At least on my system, this is 100% reproducible.


Steps to Reproduce:
1. Open app search by pressing windows key
2. Type "Users", select the Users settings result and run it
3. Respond to admin elevation prompt by entering my password

Actual results:

My user is then removed from the `wheel` group:

$ id alan-sysop
uid=1000(alan-sysop) gid=1000(alan-sysop) groups=1000(alan-sysop),1002(sysnote),1003(sshlogin)


Expected results:

Opening Gnome Users does not break my system :).  My user should remain with all the groups it was created with

$ id alan-sysop
uid=1000(alan-sysop) gid=1000(alan-sysop) groups=1000(alan-sysop),10(wheel),1002(sysnote),1003(sshlogin)


Additional info:

The user is called `alan-sysop`.  My notes say it was created as an initial administrator user by the installer (standard GUI installer for Fedora Workstation 25, booted from Live USB).
Comment 1 Matthew Miller 2017-01-03 17:52:22 UTC 
I can't reproduce this. Are you sure you didn't click on the "Standard" button (there are two choices: "Standard|Administrator") in the Users control panel applet? It will have that effect.

A few other things strike me as odd:

1. Are you prompted for elevated privileges _immediately_?  That should only happen when you press "unlock".
2. Do you have other admin accounts (members of the wheel group) on this system? AFAIK the app won't let you remove _all_ users.
3. If you remove the current user from the wheel group in this way, there is a popup telling you that you need to restart for it to take effect. Presumably, you didn't see anything like this.
Comment 2 Alan Jenkins 2017-01-03 17:54:33 UTC 
I do get the popup telling me I need to restart, it is there as soon as Users is opened.
Comment 3 Matthew Miller 2017-01-03 17:59:32 UTC 
That is... curious. That shouldn't happen (and it doesn't, on the two systems I tested it on).
Comment 4 Alan Jenkins 2017-01-03 18:07:38 UTC 
Yes, I am prompted for elevated privileges immediately, even though the button is shown as "unlock" and I have to unlock it before I could make any changes myself.

I am the only wheel user - 

before:

$ grep wheel /etc/group
wheel:x:10:alan-sysop

after:

$ grep wheel /etc/group
wheel:x:10:

Subsequent elevation prompts ask for the password of user "Administrator".  Possibly this is a reference to the root user.

$ grep -i dmin /etc/passwd
alan-sysop:x:1000:1000:Alan Jenkins (System admin):/home/alan-sysop:/bin/bash

The root user is not enabled - there is no password hash for the root user in /etc/shadow, only a "!".
Comment 5 Alan Jenkins 2017-01-03 18:22:23 UTC 
Ok, I started running `rpm -v --all`, and _then_ I noticed hardware errors.

So most likely it's due to bad data from this one drive.

Thanks for looking at my report.


[14022.692008] ata1.00: exception Emask 0x0 SAct 0x20 SErr 0x40000 action 0x0
[14022.692015] ata1.00: irq_stat 0x40000008
[14022.692020] ata1: SError: { CommWake }
[14022.692025] ata1.00: failed command: READ FPDMA QUEUED
[14022.692033] ata1.00: cmd 60/50:28:48:0b:db/00:00:08:00:00/40 tag 5 ncq dma 40960 in
                        res 41/40:00:88:0b:db/00:00:08:00:00/40 Emask 0x409 (media error) <F>
[14022.692037] ata1.00: status: { DRDY ERR }
[14022.692040] ata1.00: error: { UNC }
[14022.692996] ata1.00: configured for UDMA/100
[14022.693015] sd 0:0:0:0: [sda] tag#5 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[14022.693019] sd 0:0:0:0: [sda] tag#5 Sense Key : Medium Error [current] 
[14022.693023] sd 0:0:0:0: [sda] tag#5 Add. Sense: Unrecovered read error - auto reallocate failed
[14022.693029] sd 0:0:0:0: [sda] tag#5 CDB: Read(10) 28 00 08 db 0b 48 00 00 50 00
[14022.693031] blk_update_request: I/O error, dev sda, sector 148573064
[14022.693057] ata1: EH complete
[14022.720999] ata1.00: exception Emask 0x0 SAct 0x40 SErr 0x0 action 0x0
[14022.721004] ata1.00: irq_stat 0x40000008
[14022.721009] ata1.00: failed command: READ FPDMA QUEUED
[14022.721017] ata1.00: cmd 60/08:30:88:0b:db/00:00:08:00:00/40 tag 6 ncq dma 4096 in
                        res 41/40:00:88:0b:db/00:00:08:00:00/40 Emask 0x409 (media error) <F>
[14022.721022] ata1.00: status: { DRDY ERR }
[14022.721025] ata1.00: error: { UNC }
[14022.721964] ata1.00: configured for UDMA/100
[14022.721977] sd 0:0:0:0: [sda] tag#6 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[14022.721981] sd 0:0:0:0: [sda] tag#6 Sense Key : Medium Error [current] 
[14022.721985] sd 0:0:0:0: [sda] tag#6 Add. Sense: Unrecovered read error - auto reallocate failed
[14022.721989] sd 0:0:0:0: [sda] tag#6 CDB: Read(10) 28 00 08 db 0b 88 00 00 08 00
[14022.721991] blk_update_request: I/O error, dev sda, sector 148573064
[14022.722016] ata1: EH complete
[14022.744964] ata1.00: exception Emask 0x0 SAct 0x4000000 SErr 0x0 action 0x0
[14022.744969] ata1.00: irq_stat 0x40000008
[14022.744974] ata1.00: failed command: READ FPDMA QUEUED
[14022.744982] ata1.00: cmd 60/08:d0:88:0b:db/00:00:08:00:00/40 tag 26 ncq dma 4096 in
                        res 41/40:00:88:0b:db/00:00:08:00:00/40 Emask 0x409 (media error) <F>
[14022.744987] ata1.00: status: { DRDY ERR }
[14022.744990] ata1.00: error: { UNC }
[14022.746011] ata1.00: configured for UDMA/100
[14022.746025] sd 0:0:0:0: [sda] tag#26 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[14022.746028] sd 0:0:0:0: [sda] tag#26 Sense Key : Medium Error [current] 
[14022.746032] sd 0:0:0:0: [sda] tag#26 Add. Sense: Unrecovered read error - auto reallocate failed
[14022.746036] sd 0:0:0:0: [sda] tag#26 CDB: Read(10) 28 00 08 db 0b 88 00 00 08 00
[14022.746038] blk_update_request: I/O error, dev sda, sector 148573064
[14022.746064] ata1: EH complete
Comment 6 Matthew Miller 2017-01-03 20:03:36 UTC 
No problem. That's a very weird symptom for hardware errors, but I've seen weirder. :)