Bug 688521

Summary: Cannot login into root with "su -"
Product: [Fedora] Fedora Reporter: Joachim Backes <joachim.backes>
Component: coreutilsAssignee: Ondrej Vasik <ovasik>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 15CC: aquini, kdudka, maxamillion, ovasik, tmraz, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-17 09:54:01 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
/etc/nsswitch.conf
none
Output of ausearch -m AVC none

Description Joachim Backes 2011-03-17 05:54:29 EDT
Description of problem:
I'm logged in as user backes, then I try: "su -". I enter the correct pwd, but the login is rejected because of incorrect password.

Logging in in some console is possible, and "sudo su -" too.

Version-Release number of selected component (if applicable):
coreutils-8.10-2.fc15.x86_64

How reproducible:
always

Steps to Reproduce:
1.su -
2.Enter root pwd
3.
  
Actual results:
su: incorrect password

Expected results:
Login performed


Additional info:
/var/log/secure in that case:

Mar 17 10:46:26 eule unix_chkpwd[15372]: check pass; user unknown
Mar 17 10:46:33 eule unix_chkpwd[15374]: check pass; user unknown
Mar 17 10:46:33 eule unix_chkpwd[15374]: password check failed for user (root)
Mar 17 10:46:33 eule su: pam_unix(su-l:auth): authentication failure; logname=backes uid=500 euid=500 tty=pts/0 ruser=backes rhost=  user=root
Comment 1 Ondrej Vasik 2011-03-17 07:52:26 EDT
Adding PAM maintainer to CC as he may have some insight to it/what to check. PAM support was consolidated with SUSE (it means rewritten) in 8.7-1.fc15 - and noone complained so far, so I wonder what went wrong on your machine. Is the issue new (caused by some update) or you have just installed the brand new F-15 and updated packages?
Comment 2 Tomas Mraz 2011-03-17 08:19:21 EDT
Are there any SELinux AVCs? 'ausearch -m AVC'

What is in your /etc/nsswitch.conf?
Comment 3 Joachim Backes 2011-03-17 08:55:18 EDT
(In reply to comment #2)
> Are there any SELinux AVCs? 'ausearch -m AVC'
> 
> What is in your /etc/nsswitch.conf?

1. Selinux is disabled
2. /etc/nsswitch.conf: See attachment
3. ausearch -m AVC: see attachment
Comment 4 Joachim Backes 2011-03-17 08:56:10 EDT
Created attachment 485997 [details]
/etc/nsswitch.conf
Comment 5 Joachim Backes 2011-03-17 08:57:21 EDT
Created attachment 485999 [details]
Output of ausearch -m AVC
Comment 6 Joachim Backes 2011-03-17 09:02:27 EDT
(In reply to comment #1)
> Adding PAM maintainer to CC as he may have some insight to it/what to check.
> PAM support was consolidated with SUSE (it means rewritten) in 8.7-1.fc15 - and
> noone complained so far, so I wonder what went wrong on your machine. Is the
> issue new (caused by some update) or you have just installed the brand new F-15
> and updated packages?

This is a fresh installed F15. I have a similar problem: after locking screen, I cannot unlock screen (passwd is not accepted: BZ 684653)
Comment 7 Joachim Backes 2011-03-17 09:10:51 EDT
(In reply to comment #6)
> (In reply to comment #1)
> > Adding PAM maintainer to CC as he may have some insight to it/what to check.
> > PAM support was consolidated with SUSE (it means rewritten) in 8.7-1.fc15 - and
> > noone complained so far, so I wonder what went wrong on your machine. Is the
> > issue new (caused by some update) or you have just installed the brand new F-15
> > and updated packages?
> 
> This is a fresh installed F15. I have a similar problem: after locking screen,
> I cannot unlock screen (passwd is not accepted: BZ 684653)

Sorry: I meant: this is a fresh installed F15 *+ all actual updates*
Comment 8 Tomas Mraz 2011-03-17 09:15:47 EDT
What 'ls -l /bin/su' prints?

Ondrej, were there any setuid related changes in su recently? The 'uid=500 euid=500' in the log message above actually looks very suspicious.
Comment 9 Tomas Mraz 2011-03-17 09:16:53 EDT
And also  output of 'ls -l /sbin/unix_chkpwd' please.
Comment 10 Joachim Backes 2011-03-17 09:30:45 EDT
(In reply to comment #9)
> And also  output of 'ls -l /sbin/unix_chkpwd' please.

-rwsr-xr-x. 1 root root 32000 Feb  8 15:19 /sbin/unix_chkpwd
Comment 11 Ondrej Vasik 2011-03-17 09:32:02 EDT
No, I'm not aware of any such change, su should still be suid root:root (4755) ...
Comment 12 Joachim Backes 2011-03-17 09:40:03 EDT
By setting the s-bit in /bin/su, getting rid from my su problems :-(

I don't know why it was lost.

Thanks for your support :-)

JB
Comment 13 Ondrej Vasik 2011-03-17 09:54:01 EDT
I checked the koji build and suid is present there, so closing NOTABUG. Feel free (to reopen and reassign) if you find out what cleared the suid...