Bug 75825 - Failed RPM installs cause su to remain open
Summary: Failed RPM installs cause su to remain open
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: usermode
Version: 8.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2002-10-13 11:29 UTC by Paul Johnson
Modified: 2007-03-27 03:57 UTC (History)
0 users

Clone Of:
Last Closed: 2003-10-02 11:29:56 UTC

Attachments (Terms of Use)

Description Paul Johnson 2002-10-13 11:29:23 UTC
Description of Problem:
Failed RPM installations leave the root permission on - applies when not logged
in as the root

Version-Release number of selected component (if applicable):

How Reproducible:

Steps to Reproduce:
1. Download (say) the realplayer for Linux from real.com. 
2. Open with the application installer, type in the root password
3. The RPM install fails (does not get as far as checking the RPM headers), the
keys remain. It is then possible to access locked off areas.

Actual Results:
The keys remain, user still has su access

Expected Results:
The failure should be reported on screen and su access removed

Additional Information:
If the RPM fails to install, it is then not possible to install RPMs via either
the terminal or via the add application method - the only method of resetting
which will work is to reset the machine. Given it is a global addition when
installing an RPM, this is not suprising.

Comment 1 Jeremy Katz 2002-10-31 22:42:42 UTC
This is the intended behavior of using pam_timestamp... from the release notes

     o Some of the configuration tools use pam_timestamp, a module for
       implementing sudo-style authentication timestamps via PAM. The
       authentication function checks for the existence of the timestamp
       file. If the file exists and is less than five minutes old (the same
       default as sudo), authentication succeeds without prompting for the
       root password again.

       If a program with pam_timestamp support is started from the Main Menu
       button or Nautilus and successfully authenticated, a key icon will
       appear in the panel notification area to show that an authenticated
       user has cached root authentication. When the authentication expires,
       the icon is removed.

Comment 2 Paul Johnson 2002-11-01 23:54:21 UTC
Unfortunately, the revocation of the keys doesn't happen until the machine is
reset, nor are you able to install any other packages via either the rpm command
line or the add packages systems.

Comment 3 Alan Cox 2002-12-18 18:09:35 UTC
Unable to duplicate.. Curious

Comment 4 Jeremy Katz 2002-12-18 20:27:37 UTC
Me neither and as far as I know, Nalin hasn't heard anything either.  In any
case, it's not redhat-config-packages doing it.  If anything, it's pam_timestamp
but I haven't seen anything, although I'll leave it to Nalin to be definitive about

Comment 5 Mark J. Cox 2003-10-02 11:29:56 UTC
This bug is quite old, closing it off - the "not able to install packages" could
just be a problem with rpm locks files (try rm /var/lib/rpm/__* ), and the
authentication staying open is exepected behaviour of pam_timestamp.

Note You need to log in before you can comment on or make changes to this bug.