Red Hat Bugzilla – Bug 176033
Last modified: 2007-11-30 17:11:19 EST
On a fresh rawhide install with selinux disabled, su fails, reporting (falsely)
Dec 17 17:32:15 pmac su: pam_unix(su:auth): authentication failure;
logname=dwmw2 uid=500 euid=0 tty=tty1 ruser=dwmw2 rhost= user=root
'ssh root@localhost' works fine.
What version of coreutils, and of pam?
Seems to be a pam issue, according to one of the fedora mailing lists.
Can you please attach a strace of it? It should be good enough to attach to the
su process when it is asking for a password. (Of course change the password
before that so it isn't valuable.)
I cannot reproduce this issue on rawhide i386 with coreutils-5.93-4.1 and
pam-0.99.2.1-2 with SELinux disabled. So it might even be a ppc only problem.
I can't reproduce it any more either. There exists a possibility that I just
mistyped the password _repeatedly_ and then happened to get it right the first
time I tried to 'ssh root@localhost' instead. Or maybe there was something wrong
with the system date, which has been known to make PAM unhappy. Either way, I
think we can close this. Apologies for the noise.
I lie. It happens again on a clean install, although this time I'm inclined to
blame selinux and I'm fairly sure I'd booted with 'selinux=0' last time, because
I didn't think the system would boot at all without it.
Created attachment 122431 [details]
Yep, this is selinux preventing pam_unix to read /etc/shadow (which is right),
but then it prevents it to run /sbin/unix_chkpwd (which should be allowed).
This is a known problem in labeling the homedirs in the install
restorecon -R -v /root /home
Should clean it up. Hopefully tonights rawhide will fix the problem.
Fixed in selinux-policy-2.1.6-19
Also coreutils is changed to not use selinux for su any longer.
Closing several old modified bugs