Bug 158179 - sudo does not respect MIT-MAGIC-COOKIE
Summary: sudo does not respect MIT-MAGIC-COOKIE
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: FC4Update
TreeView+ depends on / blocked
 
Reported: 2005-05-19 12:40 UTC by Didier
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-07-01 08:30:02 UTC


Attachments (Terms of Use)
/etc/sudoers (1007 bytes, text/plain)
2005-05-20 08:46 UTC, Didier
no flags Details
sudo strace (43.65 KB, text/plain)
2005-05-24 09:11 UTC, Didier
no flags Details

Description Didier 2005-05-19 12:40:28 UTC
Description of problem:

After upgrading from FC4t2 to FC4t3, I am unable to open sudo-invoked root
terminals in an X session.


Version-Release number of selected component (if applicable):

xorg-x11-6.8.2-30
gdm-2.6.0.8-12
sudo-1.6.8p8-1


How reproducible:

Always


Steps to Reproduce:
1. Login in X as normal (non-root) user
2. $ sudo /bin/su - root -c gnome-terminal

  
Actual results:

No root terminal opens.

* shell output :

Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key

(gnome-terminal:22862): Gtk-WARNING **: cannot open display:

* /var/log/gdm/:0.log output :

AUDIT: Thu May 19 14:34:23 2005: 3820 X: client 36 rejected from local host
  Auth name: MIT-MAGIC-COOKIE-1 ID: -1


Expected results:

A root gnome-terminal should open, as when invoking :
$ /bin/su - root -c gnome-terminal

Additional info:

- This worked perfectly in FC3 and up to and including FC4t2 ;
- SELinux is not enabled ;
- please note that due to bug #158176, I am unable to strace the process.

Comment 1 Karel Zak 2005-05-19 22:03:28 UTC
Can you try commands:

  $ xauth info
  $ xauth list "$DISPLAY"
  $ sudo su - root -c "xauth info"
  $ sudo su - root -c set | grep XAUTHORITY

BTW, I can reproduce it on FC3 by command:

   $ sudo su - root -c "unset XAUTHORITY; gnome-terminal"
   Xlib: connection to ":0.0" refused by server
   Xlib: No protocol specified

   (gnome-terminal:12431): Gtk-WARNING **: cannot open display:

-- I have sudo-1.6.8p8-1 in FC3 and it works fine.

I think there's probably a problem with sudo env reset or with PAM.

Comment 2 Didier 2005-05-20 07:35:51 UTC
didier@dmbr042 ~$ xauth info
Authority file:       /home/didier/.Xauthority
File new:             no
File locked:          no
Number of entries:    3
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

didier@dmbr042 ~$ xauth list "$DISPLAY"
dmbr042.fvms.UGent.be/unix:0  MIT-MAGIC-COOKIE-1  a31e69866f1ee0da11db667fa59074de

didier@dmbr042 ~$ sudo su - root -c "xauth info"
Authority file:       /root/.Xauthority
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

didier@dmbr042 ~$ sudo su - root -c set | grep XAUTHORITY

(last command returns nothing)



pam versions :

pam_ccreds-1-6
pam_smb-1.1.7-6
pam-0.79-8
pam_mount-0.9.24-1
pam_passwdqc-0.7.6-1
pam_krb5-2.1.5-1
pam-devel-0.79-8


Comment 3 Karel Zak 2005-05-20 08:02:34 UTC
It's bad, sudo su - root -c "xauth info" should be returns path to ~/didier.
I have last question: can you try it without sudo? -- it means:
 su - root -c gnome-terminal (or su - -c "xauth info"). Thanks.


Comment 4 Didier 2005-05-20 08:19:26 UTC
1.

$ su - root -c gnome-terminal

Works perfectly ; in the newly opened terminal :

# xauth info
Authority file:       /root/.xauthqnPJHY
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

# ls -al /root/.xauthqnPJHY
-rw-------  1 root root 66 mei 19 14:12 /root/.xauthqnPJHY

# xauth list "$DISPLAY"
dmbr042.fvms.UGent.be/unix:0  MIT-MAGIC-COOKIE-1 a31e69866f1ee0da11db667fa59074de



2.

$ su - -c "xauth info"
Password:
Authority file:       /root/.xauthVqEQ7F
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

# ls -al /root/.xauthVqEQ7F
ls: /root/.xauthVqEQ7F: No such file or directory




Comment 5 Karel Zak 2005-05-20 08:21:02 UTC
I forgot, please send your '/etc/sudoers'. 

Comment 6 Didier 2005-05-20 08:46:41 UTC
Created attachment 114618 [details]
/etc/sudoers

Comment 7 Didier 2005-05-24 09:11:01 UTC
Created attachment 114765 [details]
sudo strace

As bug #158176 has been fixed in the latest kernel, I'm including an strace log
of :

$ sudo su - root -c "strace -o/root/gnome-terminal.strace -f gnome-terminal"
Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key

(gnome-terminal:26591): Gtk-WARNING **: cannot open display:

Comment 8 Tomas Mraz 2005-05-24 10:26:14 UTC
This is known bug but it will be fixed after the FC4 release as a pam update.


Comment 10 Michael Wyraz 2005-07-01 08:25:16 UTC
The Bug is still pressent in FC4 release and should be updated.

Comment 11 Tomas Mraz 2005-07-01 08:30:02 UTC
Update to pam package in updates-testing (audit-libs update needed as well)
which should resolve this issue.


Comment 12 Didier 2005-07-05 21:11:04 UTC
Confirmed fixed in pam-0.79-9.1 ; thanks.


Note You need to log in before you can comment on or make changes to this bug.