Bug 1866866

Summary:	PAM can't identify the user when running via gnome-terminal in an X session
Product:	Red Hat Enterprise Linux 8	Reporter:	Akshay Sakure <asakure>
Component:	pam	Assignee:	Iker Pedrosa <ipedrosa>
Status:	CLOSED ERRATA	QA Contact:	shridhar <sgadekar>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	8.2	CC:	dapospis, dlavu, pbrezina, sgadekar
Target Milestone:	rc	Flags:	pm-rhel: mirror+
Target Release:	8.0
Hardware:	x86_64
OS:	Linux
Whiteboard:	sync-to-jira
Fixed In Version:	pam-1.3.1-13.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-05-18 14:59:51 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Akshay Sakure 2020-08-06 16:12:15 UTC

Description of problem:
PAM can't identify the user when running via gnome-terminal in an X session

Version-Release number of selected component (if applicable):
pam-1.3.1-8.el8.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Install rhel8.2 with X/gnome
2. Create "testuser" user and set password
3. Configure "testuser" user in sudoers to be able to sudo without password: 
---
testuser        ALL=(ALL)	NOPASSWD: ALL
---

4. Congiure pam.d/sudo to verify the account based on group membership, for example
   Comment out : "#account    include      system-auth" and replace with:
---
account    sufficient   pam_wheel.so trust group=users debug
---

5. Add user to users group: usermod -G users testuser

6. Ssh into the machine as "testuser" and issue "sudo su" or any "sudo <command>" and verify you can elevate successfully

7. Issue "service start gdm" or "systemctl isolate graphical.target" and login as "testuser" 

8. Launch a terminal and try "sudo su" or any "sudo <command>" and you will get:
---
sudo: PAM account management error: Permission denied" instead.
---

9. Check the output of /var/log/secure, this is the output when run via a gnome-terminal X session and running "sudo su":
---
Jul 13 16:32:05 rhel8 sudo[22790]: pam_wheel(sudo:account): who is running me ?! 
Jul 13 16:32:05 rhel8 sudo[22790]: testuser : PAM account management error: Permission denied ; TTY=pts/2 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
---
   Similar issue is observed when user logins with 'su'.

Actual results:
PAM doesn't identify the user and sudo fails in X session.

Expected results:
PAM should correctly identify the user and sudo should work well in X session.

Additional info:
However, sudo works well in SSH session:
---
Jul 13 16:31:29 rhel8 sudo[22765]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Jul 13 16:31:29 rhel8 sudo[22765]: testuser : TTY=pts/3 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
Jul 13 16:31:29 rhel8 sudo[22765]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jul 13 16:31:29 rhel8 sudo[22765]: pam_unix(sudo:session): session opened for user root by testuser(uid=0)
Jul 13 16:31:29 rhel8 su[22766]: pam_systemd(su:session): Cannot create session: Already running in a session or user slice
Jul 13 16:31:29 rhel8 su[22766]: pam_unix(su:session): session opened for user root by testuser(uid=0)
---

Comment 3 Tomas Mraz 2020-08-06 16:53:19 UTC

It is a side effect of the terminal windows not having a login session in /var/run/utmp anymore.

Perhaps a fallback to PAM_RUSER could be done.

And if that does not work the thing that is done for use_uid could be done as well with the exception if getuid() returns 0 as that would be suspicious.

Comment 4 Iker Pedrosa 2020-09-10 07:34:12 UTC

master:
    6bf9b454eb971083f0cce49faa2aa1cde329ff5d - pam_wheel: improve coding style
    9091ea1d81e85f49a221b0325d27b22ce69e444a - pam_wheel: if getlogin fails fallback to PAM_RUSER
    a3a5cbf86083c43026b558e2023f597530626267 - pam_wheel: clarify use_uid option in man page

Comment 11 shridhar 2020-12-03 10:45:32 UTC

tested against:
[testuser@localhost ~]$ rpm -q pam
pam-1.3.1-14.el8.x86_64

Logged in as testuser via Gnome.

[testuser@localhost ~]$ sudo -l
Matching Defaults entries for testuser on localhost:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testuser may run the following commands on localhost:
    (ALL) NOPASSWD: ALL
[testuser@localhost ~]$ 

from /var/log/messages
Dec  3 05:42:57 localhost gdm-password][4687]: pam_unix(gdm-password:session): session closed for user testuser
Dec  3 05:42:57 localhost polkitd[885]: Unregistered Authentication Agent for unix-session:5 (system bus name :1.648, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec  3 05:43:01 localhost systemd[35180]: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)
Dec  3 05:43:01 localhost gdm-password][35171]: pam_unix(gdm-password:session): session opened for user testuser by (uid=0)
Dec  3 05:43:03 localhost polkitd[885]: Registered Authentication Agent for unix-session:7 (system bus name :1.979 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec  3 05:43:22 localhost sudo[35832]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
Dec  3 05:43:22 localhost sudo[35832]: testuser : TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=list
Dec  3 05:44:19 localhost su[35873]: pam_systemd(su-l:session): Cannot create session: Already running in a session or user slice
Dec  3 05:44:19 localhost su[35873]: pam_unix(su-l:session): session opened for user root by (uid=1001)


user is able to run the sudo command after logging in via GUI.

Comment 14 errata-xmlrpc 2021-05-18 14:59:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pam bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1649