Bug 158179

Summary: sudo does not respect MIT-MAGIC-COOKIE
Product: [Fedora] Fedora Reporter: Didier <d.bz-redhat>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: kzak, michael
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-0.79-9.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-01 08:30:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 158504    
Attachments:
Description Flags
/etc/sudoers
none
sudo strace none

Description Didier 2005-05-19 12:40:28 UTC 
Description of problem:

After upgrading from FC4t2 to FC4t3, I am unable to open sudo-invoked root
terminals in an X session.


Version-Release number of selected component (if applicable):

xorg-x11-6.8.2-30
gdm-2.6.0.8-12
sudo-1.6.8p8-1


How reproducible:

Always


Steps to Reproduce:
1. Login in X as normal (non-root) user
2. $ sudo /bin/su - root -c gnome-terminal

  
Actual results:

No root terminal opens.

* shell output :

Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key

(gnome-terminal:22862): Gtk-WARNING **: cannot open display:

* /var/log/gdm/:0.log output :

AUDIT: Thu May 19 14:34:23 2005: 3820 X: client 36 rejected from local host
  Auth name: MIT-MAGIC-COOKIE-1 ID: -1


Expected results:

A root gnome-terminal should open, as when invoking :
$ /bin/su - root -c gnome-terminal

Additional info:

- This worked perfectly in FC3 and up to and including FC4t2 ;
- SELinux is not enabled ;
- please note that due to bug #158176, I am unable to strace the process.
Comment 1 Karel Zak 2005-05-19 22:03:28 UTC 
Can you try commands:

  $ xauth info
  $ xauth list "$DISPLAY"
  $ sudo su - root -c "xauth info"
  $ sudo su - root -c set | grep XAUTHORITY

BTW, I can reproduce it on FC3 by command:

   $ sudo su - root -c "unset XAUTHORITY; gnome-terminal"
   Xlib: connection to ":0.0" refused by server
   Xlib: No protocol specified

   (gnome-terminal:12431): Gtk-WARNING **: cannot open display:

-- I have sudo-1.6.8p8-1 in FC3 and it works fine.

I think there's probably a problem with sudo env reset or with PAM.
Comment 2 Didier 2005-05-20 07:35:51 UTC 
didier@dmbr042 ~$ xauth info
Authority file:       /home/didier/.Xauthority
File new:             no
File locked:          no
Number of entries:    3
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

didier@dmbr042 ~$ xauth list "$DISPLAY"
dmbr042.fvms.UGent.be/unix:0  MIT-MAGIC-COOKIE-1  a31e69866f1ee0da11db667fa59074de

didier@dmbr042 ~$ sudo su - root -c "xauth info"
Authority file:       /root/.Xauthority
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

didier@dmbr042 ~$ sudo su - root -c set | grep XAUTHORITY

(last command returns nothing)



pam versions :

pam_ccreds-1-6
pam_smb-1.1.7-6
pam-0.79-8
pam_mount-0.9.24-1
pam_passwdqc-0.7.6-1
pam_krb5-2.1.5-1
pam-devel-0.79-8
Comment 3 Karel Zak 2005-05-20 08:02:34 UTC 
It's bad, sudo su - root -c "xauth info" should be returns path to ~/didier.
I have last question: can you try it without sudo? -- it means:
 su - root -c gnome-terminal (or su - -c "xauth info"). Thanks.
Comment 4 Didier 2005-05-20 08:19:26 UTC 
1.

$ su - root -c gnome-terminal

Works perfectly ; in the newly opened terminal :

# xauth info
Authority file:       /root/.xauthqnPJHY
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

# ls -al /root/.xauthqnPJHY
-rw-------  1 root root 66 mei 19 14:12 /root/.xauthqnPJHY

# xauth list "$DISPLAY"
dmbr042.fvms.UGent.be/unix:0  MIT-MAGIC-COOKIE-1 a31e69866f1ee0da11db667fa59074de



2.

$ su - -c "xauth info"
Password:
Authority file:       /root/.xauthVqEQ7F
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

# ls -al /root/.xauthVqEQ7F
ls: /root/.xauthVqEQ7F: No such file or directory
Comment 5 Karel Zak 2005-05-20 08:21:02 UTC 
I forgot, please send your '/etc/sudoers'.
Comment 6 Didier 2005-05-20 08:46:41 UTC 
Created attachment 114618 [details]
/etc/sudoers
Comment 7 Didier 2005-05-24 09:11:01 UTC 
Created attachment 114765 [details]
sudo strace

As bug #158176 has been fixed in the latest kernel, I'm including an strace log
of :

$ sudo su - root -c "strace -o/root/gnome-terminal.strace -f gnome-terminal"
Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key

(gnome-terminal:26591): Gtk-WARNING **: cannot open display:
Comment 8 Tomas Mraz 2005-05-24 10:26:14 UTC 
This is known bug but it will be fixed after the FC4 release as a pam update.
Comment 10 Michael Wyraz 2005-07-01 08:25:16 UTC 
The Bug is still pressent in FC4 release and should be updated.
Comment 11 Tomas Mraz 2005-07-01 08:30:02 UTC 
Update to pam package in updates-testing (audit-libs update needed as well)
which should resolve this issue.
Comment 12 Didier 2005-07-05 21:11:04 UTC 
Confirmed fixed in pam-0.79-9.1 ; thanks.