Bug 524421 - password is required for xguest
Summary: password is required for xguest
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: gdm
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: jmccann
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-20 00:45 UTC by Bruno Wolff III
Modified: 2015-01-14 23:23 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-05 06:21:35 UTC


Attachments (Terms of Use)

Description Bruno Wolff III 2009-09-20 00:45:53 UTC
Description of problem:
When I try to login as xguest I am asked for a password.
Mode is enforcing.
xguest_u is the selinux user associated with the login xguest.

Version-Release number of selected component (if applicable):
xguest-1.0.7-7.fc12.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2009-09-20 11:55:09 UTC
Could you check if there are any processes currently running on your system as xguest?

Comment 2 Bruno Wolff III 2009-09-20 15:03:53 UTC
xguest has uid 501 and no processes were running as xguest or with uid 501.

Comment 3 Daniel Walsh 2009-09-21 14:14:21 UTC
Tomas, you have any ideas?

I am at LinuxCon so I am going to be working sporadically on this.

Comment 4 Tomas Mraz 2009-09-21 21:06:05 UTC
Do you see anything related in the /var/log/secure?
Are you logging in through gdm?

Comment 5 Bruno Wolff III 2009-09-21 21:53:22 UTC
When I tried entering a password for xguest I got the following:
Sep 21 16:49:22 cerberus unix_chkpwd[29215]: password check failed for user (xguest)
Sep 21 16:49:22 cerberus pam: gdm-password[29165]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost=  user=xguest
Sep 21 16:49:39 cerberus pam: gdm-password[29231]: pam_unix(gdm-password:session): session opened for user bruno by (uid=0)

I am using gdm for graphical logins.

This was from my work machine where I just recently upgraded from F11 to rawhide. I think I had seen similar logs on the machine that was a fresh rawhide install as of about a month or so ago. (I did check the files in pam.d to see if the cause was bad pam files as that caused a problem last spring, but things looked reasonable.)

Comment 6 Tomas Mraz 2009-09-22 06:20:46 UTC
Can you please add debug option to the pam_selinux_permit.so module in the /etc/pam.d/gdm-password and look into the logs again after retrying the login?

Comment 7 Bruno Wolff III 2009-09-22 12:57:23 UTC
This is gdm-password:
auth        substack      password-auth
auth        required      pam_succeed_if.so user != root quiet
auth        optional      pam_gnome_keyring.so

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close debug
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open debug
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     optional      pam_gnome_keyring.so auto_start
session     include       password-auth

Here is some log info from /var/log/secure:
Sep 22 07:46:22 games1 pam: gdm-password[3528]: pam_unix(gdm-password:session): session opened for user bruno by (uid=0)
Sep 22 07:46:56 games1 su: pam_unix(su:session): session opened for user root by bruno(uid=500)
Sep 22 07:48:15 games1 su: pam_unix(su:session): session closed for user root
Sep 22 07:48:45 games1 unix_chkpwd[16416]: password check failed for user (xguest)
Sep 22 07:48:45 games1 pam: gdm-password[16402]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=xguest
Sep 22 07:48:59 games1 pam: gdm-password[16421]: pam_selinux(gdm-password:session): Open Session
Sep 22 07:48:59 games1 pam: gdm-password[16421]: pam_selinux(gdm-password:session): Open Session
Sep 22 07:48:59 games1 pam: gdm-password[16421]: pam_selinux(gdm-password:session): Username= bruno SELinux User = unconfined_u Level= s0-s0:c0.c1023
Sep 22 07:48:59 games1 pam: gdm-password[16421]: pam_selinux(gdm-password:session): set bruno security context to unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Sep 22 07:48:59 games1 pam: gdm-password[16421]: pam_selinux(gdm-password:session): set bruno key creation context to unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Sep 22 07:48:59 games1 pam: gdm-password[16421]: pam_unix(gdm-password:session): session opened for user bruno by (uid=0)
Sep 22 07:49:28 games1 su: pam_unix(su:session): session opened for user root by bruno(uid=500)

Comment 8 Bruno Wolff III 2009-09-22 13:00:17 UTC
I just notice that the selinux modules in gdm-password don't have pam_selinux_permit.so. I thought that was supposed to get added by a package and nnot manually.
I'll retest after I figure out the correct options and let you know if that get's it working.

Comment 9 Bruno Wolff III 2009-09-22 13:11:03 UTC
Copying over the pam_selinux_permit.so from /etc/pam.d/gdm got things working.
When I glanced over that file I missed that line and saw the other modules referring to selinux and mistakenly thought things were the same.
So the real issue is why pam_selinux_permit.so isn't getting added to gdm-password. This was a fresh install from about a month ago and I thought that bug 505193 had been fixed, so I wasn't really expecting that to still be a problem.

Comment 10 Daniel Walsh 2009-09-22 13:19:11 UTC
Ray we need to work together to get xguest to use it's own pam stack, automagically so this does not happen, or get pam_selinux_permit into the gdm-passwd pam.d file.

Comment 11 Tomas Mraz 2009-09-22 13:23:04 UTC
pam_selinux_permit was in /etc/pam.d/gdm-password in F11. So the question is why it was dropped. It seems just like a regression in gdm.

Comment 12 Tomas Mraz 2009-09-22 13:25:06 UTC
Ah sorry for the confusion apparently it was added as the fix for bug 505193 to F11 but it was probably never added to the rawhide package.

Comment 13 Bruno Wolff III 2009-09-22 13:32:09 UTC
Well I need to also apologize, as I should have noticed that it was a regression before reporting the problem (since I knew about bug 505193 from before), which would have required less time form you guys to get things fixed again.
Thanks for taking care of this.

Comment 14 Bruno Wolff III 2009-10-07 17:08:53 UTC
There have been several gdm releases for F12 since comment 12 was added and gdm-password still hasn't been fixed. Is this an oversight or is there something complicating this?

Comment 15 Ray Strode [halfline] 2009-10-07 18:21:56 UTC
nothing complicated, i just missed this bug.

Comment 16 Ray Strode [halfline] 2009-10-07 18:26:36 UTC
fixed in F-12 AND devel this time.

Hopefully we'll have a better story in F-13 though using plugins.

Comment 17 Bug Zapper 2009-11-16 12:39:36 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 18 Bug Zapper 2010-11-04 09:55:16 UTC
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 19 Bug Zapper 2010-12-05 06:21:35 UTC
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.