Bug 476363

Summary: neither su nor sudo works in Fedora 10
Product: [Fedora] Fedora Reporter: zachary charlop-powers <ohreallyfool>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 10CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-09 15:59:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/etc/pam.d/system-auth
none
/etc/pam.d/su
none
/etc/pam.d/sudo
none
/var/log/messages
none
/var/log/secure
none
/var/log/secure-20081214 none

Description zachary charlop-powers 2008-12-13 16:54:07 UTC
Description of problem:
I cannot use root privileges from the terminal. If i type su or sudo, I am immedietely rejected without being prompted to enter my root password.

Version-Release number of selected component (if applicable): 
nss:3.12.2.0-3fc10
pam: 1.0.2-2.fc10


How reproducible: always


Steps to Reproduce:
1. open terminal
2. type su or type sudo 

  
Actual results: 

for su:
/home/zachcp/Desktop > su
su: incorrect password

for sudo:
/home/zachcp/Desktop > sudo yum
sudo: pam_acct_mgmt: 7
Sorry, try again.
sudo: pam_acct_mgmt: 7
Sorry, try again.
sudo: pam_acct_mgmt: 7
Sorry, try again.
sudo: 3 incorrect password attempts
/home/zachcp/Desktop > 



Expected results: Prompt for password. There is no prompt for password, only immediate rejection. If I use GUI-based programs that prompt me for su password there is no problem (system-config-display, yumex, etc..)


Additional info:

Comment 1 Tomas Mraz 2008-12-13 21:11:17 UTC
What do you see related in /var/log/secure and /var/log/messages?
What is in your /etc/pam.d/system-auth, /etc/pam.d/su and /etc/pam.d/sudo?

Comment 2 zachary charlop-powers 2008-12-15 14:50:56 UTC
Created attachment 326952 [details]
/etc/pam.d/system-auth

Comment 3 zachary charlop-powers 2008-12-15 14:51:20 UTC
Created attachment 326953 [details]
/etc/pam.d/su

Comment 4 zachary charlop-powers 2008-12-15 14:51:48 UTC
Created attachment 326954 [details]
/etc/pam.d/sudo

Comment 5 zachary charlop-powers 2008-12-15 14:52:18 UTC
Created attachment 326955 [details]
/var/log/messages

Comment 6 zachary charlop-powers 2008-12-15 14:52:46 UTC
Created attachment 326956 [details]
/var/log/secure

Comment 7 zachary charlop-powers 2008-12-15 14:55:15 UTC
Created attachment 326957 [details]
/var/log/secure-20081214

Comment 8 zachary charlop-powers 2008-12-15 15:05:17 UTC
i am not familiar with the /pam.d files but a cursory look at them makes me think they are okay. 

in the /var/log/secure-20081214 file I see a number of error messages to sudo and the error is a timestamp error. You can also see that when I have used a GUI to use a program with root priveleges (yumex, livna-config-display) the output will say something like this:

-- pam_timestamp(yumex:auth): timestamp file `/var/run/sudo/zachcp/unknown:root' is only 19 seconds old, allowing access to yumex for user zachcp

Additionally there is a recurrent error message around unix_chpwd:

--Dec 12 12:10:40 localhost sudo:   zachcp : pam_acct_mgmt: 7 ; TTY=pts/2 ; PWD=/home/zachcp ; USER=root ; COMMAND=/usr/bin/yum nmr4us
--Dec 12 12:10:41 localhost sudo: pam_unix(sudo:account): read unix_chkpwd output error 0: Success

Perhaps you have a suggestion but do you think ther would be a way to upate the timestamp on my '/var/run/sudo/zachcp/unknown' file? Perhaps "touch /var/run/sudo/zachcp/unknown" ?

thanks

Comment 9 zachary charlop-powers 2008-12-15 15:07:30 UTC
also, FYI, this machine was not a clean install of Fedora 10. I was running rawhide and continually updated. Su was working until one of the updates, however.  To the best that I noticed, PAM and NSS updates were in the packeages updated right before my permissions issue started.

Comment 10 Tomas Mraz 2008-12-15 16:15:19 UTC
The message about timestamp is just an informational message. But the unix_chkpwd message indicates a problem.

What 'rpm -V pam' prints? Run it as root of course.

Also is the problem still there if you temporarily switch SELinux to permissive mode by 'setenforce 0' ?

Comment 11 zachary charlop-powers 2008-12-15 16:36:41 UTC
[root@localhost ~]# rpm -V pam
....L...  c /etc/pam.d/system-auth
S.5....T  c /etc/security/limits.conf


I will try the SELinux trick next

Comment 12 Tomas Mraz 2009-03-09 15:41:14 UTC
Did changing SELinux mode to permissive help?

Could you try to install the pam package from:
http://people.redhat.com/tmraz/testing/
and report what you see in /var/log/secure when you try su and sudo?

Comment 13 zachary charlop-powers 2009-03-09 15:49:54 UTC
Thanks Tom,

Changing SELinux did not help. I was unable to do much with the computer without root capability. I was also having a few other (related?) glitches in system performance. As I mentioned, this had been an incremental update of Rawhide, so I decided for a clean install at which point everything worked fine.

Comment 14 Tomas Mraz 2009-03-09 15:59:41 UTC
OK closing.