Bug 469791

Summary: su broken fc9
Product: [Fedora] Fedora Reporter: Jonathan Andrews <jon>
Component: coreutilsAssignee: Ondrej Vasik <ovasik>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 9CC: kdudka, ovasik, pvrabec, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-21 09:41:59 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
strace for su
none
pam.d/su with debug options none

Description Jonathan Andrews 2008-11-03 20:53:34 EST
Description of problem:
su utiltity reports "incorrect password" when correct password is used.

Version-Release number of selected component (if applicable):

6.10
md5sum a6f7dc60054c8e2665b0b19359f8e08b

How reproducible:


Steps to Reproduce:
1.
login as user via X or ssh
2.
su
3.
enter correct password
  

Actual results:

[waiman@localhost ~]$ su
Password: 
su: incorrect password

Expected results:
#


Additional info:

#[jon@jonspcb ~]$ ssh -X waiman@10.10.10.8
waiman@10.10.10.8's password: 
Last login: Tue Nov  4 01:49:04 2008 from 10.10.10.7
[waiman@localhost ~]$ 
[waiman@localhost ~]$ echo Im a user
Im a user
[waiman@localhost ~]$ su
Password: 
su: incorrect password
[waiman@localhost ~]$ 
[waiman@localhost ~]$ logout
Connection to 10.10.10.8 closed.
[jon@jonspcb ~]$ ssh -X root@10.10.10.8
root@10.10.10.8's password: 
Last login: Tue Nov  4 01:43:14 2008 from 10.10.10.7
[root@localhost ~]# 
[root@localhost ~]# echo Hello root 
Hello root
[root@localhost ~]# 


New install of core9 - run yum update 3 Nov08,
Comment 1 Ondrej Vasik 2008-11-04 02:43:55 EST
Thanks for report, I doubt the problem is in coreutils and su. Could you please provide strace of the of the failing command (I guess it could be PAM authentication restriction but I want to be sure before reassigning or closing).
Comment 2 Jonathan Andrews 2008-11-04 03:37:39 EST
Created attachment 322398 [details]
strace for su

strace for su
Comment 3 Jonathan Andrews 2008-11-05 04:41:52 EST
I've tried building generic su from source, seems its nothing to do with the su code itself its getspnam thats broken ?


/etc/shadow first 3 lines.

root:$6$7VrkEcKw$EiuWyOjq3uPNAr/lmFm5Ki6T7uL61vINJMVwPIA8OIT/Vgq.jL1mzf0TsjbZS42RoNBBKqClJc.OlIaGgFlDh0:14187:0:99999:7:::
bin:*:14185:0:99999:7:::
daemon:*:14185:0:99999:7:::



Su built from source.

[waiman@jonspcc src]$ ./su
pw->pw_name=root
sp=(null)
Correct=x
Password:



static bool
correct_password (const struct passwd *pw)
{
  char *unencrypted, *encrypted, *correct;
#if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
  /* Shadow passwd stuff for SVR3 and maybe other systems.  */
  struct spwd *sp = getspnam (pw->pw_name);

  endspent ();
  if (sp)
    correct = sp->sp_pwdp;
  else
#endif
    correct = pw->pw_passwd;

printf("pw->pw_name=%s\nsp=%s\nCorrect=%s\n",pw->pw_name,sp,correct); fflush(stdout);
  if (getuid () == 0 || !correct || correct[0] == '\0')
    return true;

  unencrypted = getpass (_("Password:"));
  if (!unencrypted)
    {
      error (0, 0, _("getpass: cannot open /dev/tty"));
      return false;
    }
  encrypted = crypt (unencrypted, correct);
  memset (unencrypted, 0, strlen (unencrypted));
  return STREQ (encrypted, correct);
}
Comment 4 Kamil Dudka 2008-11-05 05:51:59 EST
Could you please attach the content of /etc/pam.d/su and the output of id command?
Comment 5 Ondrej Vasik 2008-11-05 06:39:03 EST
getspnam = shadow-utils ... shadow-utils = pvrabec ... adding to cc - Peter, what do you think about that issue?
Comment 6 Jonathan Andrews 2008-11-05 08:32:34 EST
[root@jonspcc src]# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

From root
[root@jonspcc ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


From user
[waiman@jonspcc ~]$ id
uid=502(waiman) gid=502(waiman) groups=502(waiman)

/etc/passwd last 4 lines
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
avahi-autoipd:x:495:491:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
jon:x:501:501::/home/jon:/bin/bash
waiman:x:502:502::/home/waiman:/bin/bash

[root@jonspcc ~]# uname -a
Linux jonspcc 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 athlon i386 GNU/Linux



The machine is a virgin install of fc9 with yum update ran a few times, default settings for yum.
Comment 7 Kamil Dudka 2008-11-05 09:13:43 EST
Did you try to add yourself to group wheel?
# gpasswd -a waiman wheel
Comment 8 Jonathan Andrews 2008-11-05 11:48:25 EST
No difference !   From a simple users perspective (mine!) I should be able to useradd from root, then login and use su without additional steps - its always worked out that way for me before :-)


[waiman@jonspcc ~]$ id
uid=502(waiman) gid=502(waiman) groups=10(wheel),502(waiman)
[waiman@jonspcc ~]$ su
Password:
su: incorrect password
[waiman@jonspcc ~]$
Comment 9 Kamil Dudka 2008-11-06 08:27:57 EST
Created attachment 322711 [details]
pam.d/su with debug options

Please try the attached /etc/pam.d/su with debug options and attach the appropriate part of /var/log/secure of successful and unsuccessful login.
Comment 10 Jonathan Andrews 2008-11-21 09:41:59 EST
Thanks for the attached files, i've tried them but get nothing related to su in /var/log/secure, just the login report from sshd.

Its time for me to flush this machine and start again, thanks everyone for your help and time, its time to close this bug and move on. I assume its just me thats suffering this and only on one machine so its probably something i've broken !

Thanks again, looking forward to fc10.

Jon