Bug 176033

Summary: su fails
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: tmraz, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-16 03:35:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
strace none

Description David Woodhouse 2005-12-17 22:50:40 UTC 
On a fresh rawhide install with selinux disabled, su fails, reporting (falsely)
'incorrect password'.

Dec 17 17:32:15 pmac su: pam_unix(su:auth): authentication failure;
logname=dwmw2 uid=500 euid=0 tty=tty1 ruser=dwmw2 rhost=  user=root

'ssh root@localhost' works fine.
Comment 1 Tim Waugh 2005-12-18 10:29:18 UTC 
What version of coreutils, and of pam?
Comment 2 David Woodhouse 2005-12-18 13:28:42 UTC 
20051217 rawhide:
coreutils-5.93-4.1.ppc
pam-0.99.2.1-2.ppc
pam-0.99.2.1-2.ppc64
Comment 3 Tim Waugh 2005-12-19 09:27:48 UTC 
Seems to be a pam issue, according to one of the fedora mailing lists.
Comment 4 Tomas Mraz 2005-12-19 09:47:07 UTC 
Can you please attach a strace of it? It should be good enough to attach to the
su process when it is asking for a password. (Of course change the password
before that so it isn't valuable.)
Comment 5 Tomas Mraz 2005-12-19 10:07:19 UTC 
I cannot reproduce this issue on rawhide i386 with coreutils-5.93-4.1 and
pam-0.99.2.1-2 with SELinux disabled. So it might even be a ppc only problem.
Comment 6 David Woodhouse 2005-12-20 00:38:11 UTC 
I can't reproduce it any more either. There exists a possibility that I just
mistyped the password _repeatedly_ and then happened to get it right the first
time I tried to 'ssh root@localhost' instead. Or maybe there was something wrong
with the system date, which has been known to make PAM unhappy. Either way, I
think we can close this. Apologies for the noise.
Comment 7 David Woodhouse 2005-12-20 01:16:42 UTC 
I lie. It happens again on a clean install, although this time I'm inclined to
blame selinux and I'm fairly sure I'd booted with 'selinux=0' last time, because
I didn't think the system would boot at all without it.
Comment 8 David Woodhouse 2005-12-20 01:17:33 UTC 
Created attachment 122431 [details]
strace
Comment 9 Tomas Mraz 2005-12-20 07:58:26 UTC 
Yep, this is selinux preventing pam_unix to read /etc/shadow (which is right), 
but then it prevents it to run /sbin/unix_chkpwd (which should be allowed).
Comment 10 Daniel Walsh 2005-12-20 14:18:35 UTC 
This is a known problem in labeling the homedirs in the install

restorecon -R -v /root /home

Should clean it up.  Hopefully tonights rawhide will fix the problem.
Comment 11 Daniel Walsh 2006-01-02 17:12:46 UTC 
Fixed in selinux-policy-2.1.6-19

Also coreutils is changed to not use selinux for su any longer.
Comment 12 Daniel Walsh 2007-03-16 03:35:20 UTC 
Closing several old modified bugs