Bug 158179 - sudo does not respect MIT-MAGIC-COOKIE
sudo does not respect MIT-MAGIC-COOKIE
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks: FC4Update
  Show dependency treegraph
 
Reported: 2005-05-19 08:40 EDT by Didier
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: pam-0.79-9.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-01 04:30:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/etc/sudoers (1007 bytes, text/plain)
2005-05-20 04:46 EDT, Didier
no flags Details
sudo strace (43.65 KB, text/plain)
2005-05-24 05:11 EDT, Didier
no flags Details

  None (edit)
Description Didier 2005-05-19 08:40:28 EDT
Description of problem:

After upgrading from FC4t2 to FC4t3, I am unable to open sudo-invoked root
terminals in an X session.


Version-Release number of selected component (if applicable):

xorg-x11-6.8.2-30
gdm-2.6.0.8-12
sudo-1.6.8p8-1


How reproducible:

Always


Steps to Reproduce:
1. Login in X as normal (non-root) user
2. $ sudo /bin/su - root -c gnome-terminal

  
Actual results:

No root terminal opens.

* shell output :

Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key

(gnome-terminal:22862): Gtk-WARNING **: cannot open display:

* /var/log/gdm/:0.log output :

AUDIT: Thu May 19 14:34:23 2005: 3820 X: client 36 rejected from local host
  Auth name: MIT-MAGIC-COOKIE-1 ID: -1


Expected results:

A root gnome-terminal should open, as when invoking :
$ /bin/su - root -c gnome-terminal

Additional info:

- This worked perfectly in FC3 and up to and including FC4t2 ;
- SELinux is not enabled ;
- please note that due to bug #158176, I am unable to strace the process.
Comment 1 Karel Zak 2005-05-19 18:03:28 EDT
Can you try commands:

  $ xauth info
  $ xauth list "$DISPLAY"
  $ sudo su - root -c "xauth info"
  $ sudo su - root -c set | grep XAUTHORITY

BTW, I can reproduce it on FC3 by command:

   $ sudo su - root -c "unset XAUTHORITY; gnome-terminal"
   Xlib: connection to ":0.0" refused by server
   Xlib: No protocol specified

   (gnome-terminal:12431): Gtk-WARNING **: cannot open display:

-- I have sudo-1.6.8p8-1 in FC3 and it works fine.

I think there's probably a problem with sudo env reset or with PAM.
Comment 2 Didier 2005-05-20 03:35:51 EDT
didier@dmbr042 ~$ xauth info
Authority file:       /home/didier/.Xauthority
File new:             no
File locked:          no
Number of entries:    3
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

didier@dmbr042 ~$ xauth list "$DISPLAY"
dmbr042.fvms.UGent.be/unix:0  MIT-MAGIC-COOKIE-1  a31e69866f1ee0da11db667fa59074de

didier@dmbr042 ~$ sudo su - root -c "xauth info"
Authority file:       /root/.Xauthority
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

didier@dmbr042 ~$ sudo su - root -c set | grep XAUTHORITY

(last command returns nothing)



pam versions :

pam_ccreds-1-6
pam_smb-1.1.7-6
pam-0.79-8
pam_mount-0.9.24-1
pam_passwdqc-0.7.6-1
pam_krb5-2.1.5-1
pam-devel-0.79-8
Comment 3 Karel Zak 2005-05-20 04:02:34 EDT
It's bad, sudo su - root -c "xauth info" should be returns path to ~/didier.
I have last question: can you try it without sudo? -- it means:
 su - root -c gnome-terminal (or su - -c "xauth info"). Thanks.
Comment 4 Didier 2005-05-20 04:19:26 EDT
1.

$ su - root -c gnome-terminal

Works perfectly ; in the newly opened terminal :

# xauth info
Authority file:       /root/.xauthqnPJHY
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

# ls -al /root/.xauthqnPJHY
-rw-------  1 root root 66 mei 19 14:12 /root/.xauthqnPJHY

# xauth list "$DISPLAY"
dmbr042.fvms.UGent.be/unix:0  MIT-MAGIC-COOKIE-1 a31e69866f1ee0da11db667fa59074de



2.

$ su - -c "xauth info"
Password:
Authority file:       /root/.xauthVqEQ7F
File new:             no
File locked:          no
Number of entries:    1
Changes honored:      yes
Changes made:         no
Current input:        (argv):1

# ls -al /root/.xauthVqEQ7F
ls: /root/.xauthVqEQ7F: No such file or directory


Comment 5 Karel Zak 2005-05-20 04:21:02 EDT
I forgot, please send your '/etc/sudoers'. 
Comment 6 Didier 2005-05-20 04:46:41 EDT
Created attachment 114618 [details]
/etc/sudoers
Comment 7 Didier 2005-05-24 05:11:01 EDT
Created attachment 114765 [details]
sudo strace

As bug #158176 has been fixed in the latest kernel, I'm including an strace log
of :

$ sudo su - root -c "strace -o/root/gnome-terminal.strace -f gnome-terminal"
Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key

(gnome-terminal:26591): Gtk-WARNING **: cannot open display:
Comment 8 Tomas Mraz 2005-05-24 06:26:14 EDT
This is known bug but it will be fixed after the FC4 release as a pam update.
Comment 10 Michael Wyraz 2005-07-01 04:25:16 EDT
The Bug is still pressent in FC4 release and should be updated.
Comment 11 Tomas Mraz 2005-07-01 04:30:02 EDT
Update to pam package in updates-testing (audit-libs update needed as well)
which should resolve this issue.
Comment 12 Didier 2005-07-05 17:11:04 EDT
Confirmed fixed in pam-0.79-9.1 ; thanks.

Note You need to log in before you can comment on or make changes to this bug.