Description of problem: Unlocking a root terminal which has been previously locked using the system password (tlock -s) doesn't work. Version-Release number of selected component (if applicable): tlock-1.3-1.fc9.x86_64 How reproducible: Always. Steps to Reproduce: 1. Login as root. 2. Type "tlock -s". 3. Type root's password again to try unlocking (which fails). Actual results: "access denied, invalid password" Expected results: Terminal is unlocked again. Additional info: It DOES work for regular users, does NOT work only for root when using the "-s" option. I've done some quick debugging, the reason seems to be in pam_authenticate () which returns a value of 3 = PAM_SERVICE_ERR. Maybe this is a PAM bug because for each try I get following line written to syslog: Jul 7 15:59:06 localhost tlock: pam_securetty(login:auth): cannot determine user's tty (Again: this message doesn't appear when using tlock as regular user or as root but without the "-s" option).
Hey Milos, thanks for the information. I'm aware of this tlock behaviour, and am not really sure if it's a tlock bug. I guess, it's something to do with the way Linux-PAM works. I tried to configure pam_rootok.so(8) in the `/etc/pam.d/login' but didn't help as much. I'm trying to find the appropriate solution for this. Thank you!
Also, though removing - "auth ... pam_securetty.so" - from /etc/pam.d/login solves the problem, I doubt if that's the way to go.
Please see: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_securetty.html
OK, I spent half an hour in the PAM source code ending up in the second paragraph in the article you pointed out:) >"This module has no effect on non-root users and requires that the application >fills in the PAM_TTY item correctly." All what needs to be done is set the tty using pam_set_item() -- see the proposed patch I'm attaching. Note: - Because pts/X is not included in /etc/securetty, if found, tty is set to "console". - I also removed one variable obviously not used, gcc displayed a warning about. - Hope it will work fine:)
Created attachment 311523 [details] Patch setting correct tty for pam_securetty module
Hi Milos, thank you so much for the patch. The patch looks okay to me, except that instead of "/dev/pts/", I think it'll do with just "/dev/". Because "/dev/pts/" you see on X terminals, where as on text terminals you get "/dev/tty[1-6]". I'll apply it over the week-end, hope that's okay. Thank you! :)
Hi, (In reply to comment #6) > Hi Milos, thank you so much for the patch. > > The patch looks okay to me, except that instead of "/dev/pts/", I think it'll do > with just "/dev/". Hm, I don't think this is a good idea: if you change /dev/pts to /dev only then you will *always* use "console" -- I can hardly imagine that ttyname() returns anything not prefixed by /dev. > Because "/dev/pts/" you see on X terminals, where as on text > terminals you get "/dev/tty[1-6]". Yes, but that's not a problem because all of those /dev/ttyX are included in /etc/securetty by default (as opposed to /dev/pts/X). Hence the proposed solution works both on /dev/ttyX and /dev/pts/X (which will be translated in to "console"). >I'll apply it over the week-end, hope that's > okay. > > Thank you! :) You're welcome;)
Hello Milos :) I did apply that patch. Please have a look at the latest files at SPEC: http://pjp.dgplug.org/tools/tlock.spec SORC: http://pjp.dgplug.org/tools/tlock-1.4.tar.gz SRPM: http://pjp.dgplug.org/tools/tlock-1.4-1.fc8.src.rpm Hey, now how do I push these changes to the main repositories(ie. FC-[89], EL-[45], and devel) again? Thank you so much!
Fine, please follow: http://fedoraproject.org/wiki/PackageMaintainers/UpdatingPackageHowTo Some short hints: - in rawhide (devel) you do not release updates, any new build is by default automatically included into repository. - you can create an update either using web interface (https://admin.fedoraproject.org/updates) or using "make update" in the branch directory (F-8, F-9...). - you can (and should) associate bugs which should be resolved by the newly created update to it (and if using web interface, you can also set the bug reports to be autoclosed when the update is pushed into repository; make update currently doesn't support this yet).
Hi Milos, thanks for those links. I was following the first link, I already have the checked out sources of tlock-1.3 from the *first* build, but none of the make files there have target `new-sources', so when I say (~/src/fedora/tlock)$ make new-sources FILES="tlock-1.4.tar.gz" make stops saying: "no rule to make target new-sources". Could you please help? Thank you!
Just cd to the branch directory first, e.g. ~/src/fedora/tlock/devel in your case. This must be repeated for every branch you want to update with the new sources (because you can have different sources for different branches of course). (I confirm this is not very clear from the wiki, I'll probably add a short comment there.)
tlock-1.4-1.fc8 has been submitted as an update for Fedora 8
tlock-1.4-1.fc9 has been submitted as an update for Fedora 9
tlock-1.4-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
tlock-1.4-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.