442061 – graphical apps unable to start as root in user session

Bug 442061 - graphical apps unable to start as root in user session

Summary: graphical apps unable to start as root in user session

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gdm
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	jmccann
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (4):	441831 442157 442168 456516 (view as bug list)
Depends On:
Blocks:	F9PR F10Alpha, F10AlphaBlocker
TreeView+	depends on / blocked

Reported:	2008-04-11 15:00 UTC by Jeremy Katz
Modified:	2015-01-14 23:20 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-08-01 15:55:06 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jeremy Katz 2008-04-11 15:00:18 UTC

If you're logged in as a user and run su from a terminal and attempt to run a
graphical app, you get
  "No protocol specified"
spewed and the app fails to connect to the display.  In Xorg.log, there's an
audit message
  AUDIT: date: 2269 Xorg: client 30 rejected from local host (uid=0 gid=0 pid=)

This also impacts apps that use consolehelper and thus breaks the ability to
start the installer from the livecd.

Comment 1 Jeremy Katz 2008-04-11 15:01:56 UTC

And running 'xhost +' works around, but seems like the wrong answer :)

Comment 2 Jeremy Katz 2008-04-11 17:33:15 UTC

This is because we can't create the lock in /var/run/gdm where the xauth cookie
is living.

Comment 3 Ray Strode [halfline] 2008-04-11 19:13:21 UTC

*** Bug 441831 has been marked as a duplicate of this bug. ***

Comment 4 Jeffrey C. Ollie 2008-04-11 19:16:37 UTC

This also affects SSH'ing to other hosts since the X forwarding code in SSH
needs to access the xauth cookies.

Comment 5 Jeffrey C. Ollie 2008-04-11 19:38:12 UTC

gdm-2.21.10-0.2008.04.11.1.fc9 seems to have fixed my problems with SSH and
"su".  Didn't even need to reboot or login/logout.

Comment 6 Tom London 2008-04-11 20:26:58 UTC

Rebooting after install new gdm produces unhappiness.....

I get a popup that yells at me for trying to login as a privileged user.

It then hangs.  I have to revert to gdm-2.21.10-0.2008.04.08.4.fc9.i386 to login
again.

[I can't seem to reopen this.....]

Comment 7 Jeffrey C. Ollie 2008-04-11 20:34:11 UTC

Yeah, the same was reported on IRC, try:

http://koji.fedoraproject.org/koji/buildinfo?buildID=45962

Once it's done building.

Comment 8 Tom London 2008-04-11 20:45:39 UTC

Yeah..... that works.

Comment 9 Ray Strode [halfline] 2008-04-11 20:59:50 UTC

good!

Comment 10 Michal Schmidt 2008-04-12 21:26:24 UTC

*** Bug 442157 has been marked as a duplicate of this bug. ***

Comment 11 Ondrej Vasik 2008-04-14 09:03:25 UTC

*** Bug 442168 has been marked as a duplicate of this bug. ***

Comment 12 Jeremy Katz 2008-07-24 18:46:13 UTC

As the saying goes "ittttssssss baccckkkkkk"

With today's rawhide, this behavior has reappeared.  Perms on /var/run/gdm have
changed from 1777 to 1775

Comment 13 Bill Nottingham 2008-07-25 14:36:11 UTC

*** Bug 456516 has been marked as a duplicate of this bug. ***

Comment 14 Matthias Clasen 2008-07-25 23:36:34 UTC

Yeah, we need a better fix here, either fix the stupid locking in libXau or
create per-user subdirectories in /var/run/gdm

Comment 15 Jeremy Katz 2008-07-28 18:47:27 UTC

Note that some resolution of this is required for Fedora 10 alpha, as otherwise,
installs from live images are non-functional.

Comment 16 Ray Strode [halfline] 2008-07-28 18:56:33 UTC

per user sub directories seems like the right way to go.  If the alpha is time
crunched, we could just add back the sticky bits though in the interim.

Comment 17 jmccann 2008-07-28 19:10:46 UTC

I'm testing the fix for this now.

Comment 18 Jeremy Katz 2008-07-31 16:45:16 UTC

Tested the fix and it solves this problem, but gdm doesn't start as we're
getting some AVCs.  
   allow xdm_t null_device_t:chr_file setattr;
seems to be the significant one, and I don't see why /dev/null would need to be
setattr'd as it's already root:root 0666

There's then an AVC of 
  allow xdm_t self:capability sys_ptrace;
but I think that's from gdb trying to attach as gdm crashes

Comment 19 Jeremy Katz 2008-07-31 17:52:36 UTC

Okay, updating to the latest selinux-policy seems to make things good.  So we
just need to tag that also and I think we should be good to go

Comment 20 Jesse Keating 2008-08-01 15:55:06 UTC

It's tagged, closing this bug.

Note You need to log in before you can comment on or make changes to this bug.