Bug 503873
Summary: | clarify message if GUI root access denied | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nick Levinson <Nick_Levinson> |
Component: | gdm | Assignee: | jmccann |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 10 | CC: | cschalle, jmccann, rmaximo, rstrode, vanmeeuwen+fedora |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-12-18 09:31:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nick Levinson
2009-06-03 06:16:08 UTC
Having something like this in anaconda isn't really possible as it ties anaconda more closely to the specific quirks of a single distribution release and that's the opposite of the direction we're trying to move in. The decision to not allow root logins through the desktop wasn't an anaconda one. It was made as a desktop-wide and distribution-wide policy. anaconda is not in the business of offering workarounds to defined Fedora policy. You can configure gdm to allow root logins, though since I do not work on it, I do not know how. The fact that su - does not allow you to do things definitely sounds like a bug, though. It could be a problem with selinux or with su itself. In that case, at least please reword the message that results from refusing root access. To say that the user cannot be authenticated is to say either that the user has forgotten their root password or that the software just installed is broken. In either case, reinstalling or getting another OS is necessary. To make that unnecessary, use phrasing that's more relevant. A technical problem -- I'm guessing how root access is being denied -- is that Fedora may be denying the GUI login process access to /etc/shadow if the user is root and thus is not trying to check the password itself. That, too, can be solved. If the user being attempted for login is root, post a message such as, "root may not log in here but should use the terminal or console. The root password has not been authenticated." If that is not generic enough because it should apply to any user similarly situated, phrase thus: "This user may not log in here but should use the terminal or console. The user's password has not been authenticated." This does not create a security risk in telling an attacker too much. Assuming an attacker does not know about the Fedora policy, an attacker aware of Linux almost certainly knows the key account is named "root" and so won't assume the account was misnamed and therefore will "know" that only the password is wrong. If the concern is that they shouldn't know about the console/terminal being an alternative if the GUI fails, allow the superuser to configure a setting to choose the vaguer message, i.e., the one that displays nowadays about not authenticating the user. That's good for a superuser who already knows about this policy but may not want another user to know. I don't understand why the proposal would be too narrowly applicable to one release, unless there's a plan to restore GUI rooot access in a future release. But if the more basic decision remains denial of GUI root access, there may be no justification in changing anaconda. The su problem I experienced wasn't in F10, since, not knowing that I wasn't supposed to succeed via the GUI, I had already wiped F10 off the disk and couldn't test F10 terminal access anymore. The su experimentation was in FC4, where I didn't try changing permissions to edit /etc files, and FC4 terminal experience might not be entirely germane to F10. Although I disagree with the denial as policy without a workaround, so that if a workaround is too problematic I'll probably switch to another distro, the policy may make sense for the kinds of institutions for which RHEL is marketed. That leaves the phrasing as the main issue. Thanks. -- Nick I edited the summary (title) of this bug. -- Nick This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |