Bug 469791 - su broken fc9
su broken fc9
Product: Fedora
Classification: Fedora
Component: coreutils (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Ondrej Vasik
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-11-03 20:53 EST by Jonathan Andrews
Modified: 2008-11-21 09:41 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-21 09:41:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
strace for su (27.75 KB, text/plain)
2008-11-04 03:37 EST, Jonathan Andrews
no flags Details
pam.d/su with debug options (529 bytes, application/octet-stream)
2008-11-06 08:27 EST, Kamil Dudka
no flags Details

  None (edit)
Description Jonathan Andrews 2008-11-03 20:53:34 EST
Description of problem:
su utiltity reports "incorrect password" when correct password is used.

Version-Release number of selected component (if applicable):

md5sum a6f7dc60054c8e2665b0b19359f8e08b

How reproducible:

Steps to Reproduce:
login as user via X or ssh
enter correct password

Actual results:

[waiman@localhost ~]$ su
su: incorrect password

Expected results:

Additional info:

#[jon@jonspcb ~]$ ssh -X waiman@
waiman@'s password: 
Last login: Tue Nov  4 01:49:04 2008 from
[waiman@localhost ~]$ 
[waiman@localhost ~]$ echo Im a user
Im a user
[waiman@localhost ~]$ su
su: incorrect password
[waiman@localhost ~]$ 
[waiman@localhost ~]$ logout
Connection to closed.
[jon@jonspcb ~]$ ssh -X root@
root@'s password: 
Last login: Tue Nov  4 01:43:14 2008 from
[root@localhost ~]# 
[root@localhost ~]# echo Hello root 
Hello root
[root@localhost ~]# 

New install of core9 - run yum update 3 Nov08,
Comment 1 Ondrej Vasik 2008-11-04 02:43:55 EST
Thanks for report, I doubt the problem is in coreutils and su. Could you please provide strace of the of the failing command (I guess it could be PAM authentication restriction but I want to be sure before reassigning or closing).
Comment 2 Jonathan Andrews 2008-11-04 03:37:39 EST
Created attachment 322398 [details]
strace for su

strace for su
Comment 3 Jonathan Andrews 2008-11-05 04:41:52 EST
I've tried building generic su from source, seems its nothing to do with the su code itself its getspnam thats broken ?

/etc/shadow first 3 lines.


Su built from source.

[waiman@jonspcc src]$ ./su

static bool
correct_password (const struct passwd *pw)
  char *unencrypted, *encrypted, *correct;
  /* Shadow passwd stuff for SVR3 and maybe other systems.  */
  struct spwd *sp = getspnam (pw->pw_name);

  endspent ();
  if (sp)
    correct = sp->sp_pwdp;
    correct = pw->pw_passwd;

printf("pw->pw_name=%s\nsp=%s\nCorrect=%s\n",pw->pw_name,sp,correct); fflush(stdout);
  if (getuid () == 0 || !correct || correct[0] == '\0')
    return true;

  unencrypted = getpass (_("Password:"));
  if (!unencrypted)
      error (0, 0, _("getpass: cannot open /dev/tty"));
      return false;
  encrypted = crypt (unencrypted, correct);
  memset (unencrypted, 0, strlen (unencrypted));
  return STREQ (encrypted, correct);
Comment 4 Kamil Dudka 2008-11-05 05:51:59 EST
Could you please attach the content of /etc/pam.d/su and the output of id command?
Comment 5 Ondrej Vasik 2008-11-05 06:39:03 EST
getspnam = shadow-utils ... shadow-utils = pvrabec ... adding to cc - Peter, what do you think about that issue?
Comment 6 Jonathan Andrews 2008-11-05 08:32:34 EST
[root@jonspcc src]# cat /etc/pam.d/su
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

From root
[root@jonspcc ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

From user
[waiman@jonspcc ~]$ id
uid=502(waiman) gid=502(waiman) groups=502(waiman)

/etc/passwd last 4 lines
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin

[root@jonspcc ~]# uname -a
Linux jonspcc #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 athlon i386 GNU/Linux

The machine is a virgin install of fc9 with yum update ran a few times, default settings for yum.
Comment 7 Kamil Dudka 2008-11-05 09:13:43 EST
Did you try to add yourself to group wheel?
# gpasswd -a waiman wheel
Comment 8 Jonathan Andrews 2008-11-05 11:48:25 EST
No difference !   From a simple users perspective (mine!) I should be able to useradd from root, then login and use su without additional steps - its always worked out that way for me before :-)

[waiman@jonspcc ~]$ id
uid=502(waiman) gid=502(waiman) groups=10(wheel),502(waiman)
[waiman@jonspcc ~]$ su
su: incorrect password
[waiman@jonspcc ~]$
Comment 9 Kamil Dudka 2008-11-06 08:27:57 EST
Created attachment 322711 [details]
pam.d/su with debug options

Please try the attached /etc/pam.d/su with debug options and attach the appropriate part of /var/log/secure of successful and unsuccessful login.
Comment 10 Jonathan Andrews 2008-11-21 09:41:59 EST
Thanks for the attached files, i've tried them but get nothing related to su in /var/log/secure, just the login report from sshd.

Its time for me to flush this machine and start again, thanks everyone for your help and time, its time to close this bug and move on. I assume its just me thats suffering this and only on one machine so its probably something i've broken !

Thanks again, looking forward to fc10.


Note You need to log in before you can comment on or make changes to this bug.