110369 – gtk_init_check () doesn't handle xauth failures

Bug 110369 - gtk_init_check () doesn't handle xauth failures

Summary: gtk_init_check () doesn't handle xauth failures

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	gtk2
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Matthias Clasen
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-11-18 21:48 UTC by Matthew Galgoci
Modified:	2007-11-30 22:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-10-19 19:32:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Matthew Galgoci 2003-11-18 21:48:52 UTC

Description of problem:

sudo does not use pam_xauth in its pam config file so that when
ssh'd in remotely to a server and you type sudo su -  and try
and run an x client (such as up2date) you get something like this:

[root@pedro root]# up2date -l
X11 connection rejected because of wrong authentication.
[root@pedro root]# echo $DISPLAY
localhost:15.0

or

[mgalgoci@razor mgalgoci]$ ssh pedro.ges.redhat.com
mgalgoci@pedro's password:
[mgalgoci@pedro mgalgoci]$ sudo su -
[root@pedro root]# xeyes
X11 connection rejected because of wrong authentication.
X connection to localhost:11.0 broken (explicit kill or server shutdown).
[root@pedro root]# echo $DISPLAY
localhost:11.0

Not that I really wanted to use the gui up2date client in the first
place, it is nevertheless a bug in sudo's configuration.

Steps to Reproduce:
1. ssh to a machine as a user
2. sudo su -  to root
3. try to run an X application.
  
Actual results:

X authentication is rejected.

Expected results:

My xauth credential should be forwarded by pam_xauth to my root
session and my X client should authenticate run.

Comment 1 Thomas Woerner 2004-03-18 15:15:12 UTC

It is not a good idea to give access to the X11 session per se.
If the user has restricted access to not-X11 programs, he can get
access to the full X11 session with this.

Closing as won't fix.

Comment 2 Matthew Galgoci 2004-05-17 19:45:54 UTC

Usermod is apparently at fault here because /usr/bin/up2date is a
symlink to consolehelper.

Alternatively, consolehelper should not fail critically if it barfs on
xauth, and instead should fall back to console mode.

Comment 3 Matthew Galgoci 2004-05-17 19:46:48 UTC

This should probably be re-assigned to nalin :)

Comment 4 Miloslav Trmač 2007-03-07 17:09:40 UTC

When an X11 session is rejected as described in comment 0, gtk_init_check ()
or something it uses calls exit (1) instead of returning FALSE.

Comment 5 RHEL Program Management 2007-10-19 19:32:58 UTC

This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.