Bug 176033 - su fails
Summary: su fails
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-12-17 22:50 UTC by David Woodhouse
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2007-03-16 03:35:20 UTC

Attachments (Terms of Use)
strace (79.78 KB, text/plain)
2005-12-20 01:17 UTC, David Woodhouse
no flags Details

Description David Woodhouse 2005-12-17 22:50:40 UTC
On a fresh rawhide install with selinux disabled, su fails, reporting (falsely)
'incorrect password'.

Dec 17 17:32:15 pmac su: pam_unix(su:auth): authentication failure;
logname=dwmw2 uid=500 euid=0 tty=tty1 ruser=dwmw2 rhost=  user=root

'ssh root@localhost' works fine.

Comment 1 Tim Waugh 2005-12-18 10:29:18 UTC
What version of coreutils, and of pam?

Comment 2 David Woodhouse 2005-12-18 13:28:42 UTC
20051217 rawhide:

Comment 3 Tim Waugh 2005-12-19 09:27:48 UTC
Seems to be a pam issue, according to one of the fedora mailing lists.

Comment 4 Tomas Mraz 2005-12-19 09:47:07 UTC
Can you please attach a strace of it? It should be good enough to attach to the
su process when it is asking for a password. (Of course change the password
before that so it isn't valuable.)

Comment 5 Tomas Mraz 2005-12-19 10:07:19 UTC
I cannot reproduce this issue on rawhide i386 with coreutils-5.93-4.1 and
pam- with SELinux disabled. So it might even be a ppc only problem.

Comment 6 David Woodhouse 2005-12-20 00:38:11 UTC
I can't reproduce it any more either. There exists a possibility that I just
mistyped the password _repeatedly_ and then happened to get it right the first
time I tried to 'ssh root@localhost' instead. Or maybe there was something wrong
with the system date, which has been known to make PAM unhappy. Either way, I
think we can close this. Apologies for the noise.

Comment 7 David Woodhouse 2005-12-20 01:16:42 UTC
I lie. It happens again on a clean install, although this time I'm inclined to
blame selinux and I'm fairly sure I'd booted with 'selinux=0' last time, because
I didn't think the system would boot at all without it.

Comment 8 David Woodhouse 2005-12-20 01:17:33 UTC
Created attachment 122431 [details]

Comment 9 Tomas Mraz 2005-12-20 07:58:26 UTC
Yep, this is selinux preventing pam_unix to read /etc/shadow (which is right), 
but then it prevents it to run /sbin/unix_chkpwd (which should be allowed).

Comment 10 Daniel Walsh 2005-12-20 14:18:35 UTC
This is a known problem in labeling the homedirs in the install

restorecon -R -v /root /home

Should clean it up.  Hopefully tonights rawhide will fix the problem.

Comment 11 Daniel Walsh 2006-01-02 17:12:46 UTC
Fixed in selinux-policy-2.1.6-19

Also coreutils is changed to not use selinux for su any longer.

Comment 12 Daniel Walsh 2007-03-16 03:35:20 UTC
Closing several old modified bugs

Note You need to log in before you can comment on or make changes to this bug.