Description of problem: xauth doesn't work as non-root SElinux permissions are implicated [root@rawhide .ssh]# su wbaker bash-4.2$ /usr/bin/xauth /usr/bin/xauth: timeout in locking authority file /home/wbaker/.Xauthority Version-Release number of selected component (if applicable): $ rpm -q -f /usr/bin/xauth xorg-x11-xauth-1.0.6-2.fc17.i686 How reproducible: very Steps to Reproduce: 1. install rawhide 2. add a user account 3. add a known-working ssh key to authorized_keys2 4. work around the SElinux label problems on /home/$USER/.ssh as described in https://bugzilla.redhat.com/show_bug.cgi?id=772982 5. show ssh access functions in text mode 6. ssh -A -Y rawhide.local gnome-terminal Actual results: $ ssh -A -Y root gnome-terminal ...functions correctly... $ ssh -A -Y wbaker gnome-terminal /usr/bin/xauth: timeout in locking authority file /home/wbaker/.Xauthority X11 connection rejected because of wrong authentication. X11 connection rejected because of wrong authentication. X11 connection rejected because of wrong authentication. X11 connection rejected because of wrong authentication. Expected results: $ ssh -A -Y root gnome-terminal ...functions correctly... $ ssh -A -Y wbaker gnome-terminal ...functions correctly... Additional info: /var/log/messages says Jan 10 07:39:40 rawhide.local dbus-daemon[855]: dbus[855]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Jan 10 07:39:40 rawhide.local dbus[855]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Jan 10 07:39:42 rawhide.local dbus[855]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jan 10 07:39:42 rawhide.local dbus-daemon[855]: dbus[855]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jan 10 07:40:08 rawhide.local dbus-daemon[855]: Exception TypeError: "'NoneType' object is not callable" in <function _removeHandlerRef at 0xb756d6bc> ignored (see https://bugzilla.redhat.com/show_bug.cgi?id=772982 for an explanation of this issue ... setroubleshootd isn't being run to chatter into messages) bash-4.2$ strace /usr/bin/xauth ...etc... close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7735000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7734000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb77346c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0x4d3d9000, 8192, PROT_READ) = 0 mprotect(0x4d400000, 4096, PROT_READ) = 0 mprotect(0x4d932000, 4096, PROT_READ) = 0 mprotect(0x4dac8000, 4096, PROT_READ) = 0 mprotect(0x8050000, 4096, PROT_READ) = 0 mprotect(0x4d22d000, 4096, PROT_READ) = 0 munmap(0xb7754000, 70449) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 brk(0) = 0x82a4000 brk(0x82c5000) = 0x82c5000 brk(0) = 0x82c5000 rt_sigaction(SIGINT, {0x804cb30, [INT], SA_RESTART}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGTERM, {0x804cb30, [TERM], SA_RESTART}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGHUP, {0x804cb30, [HUP], SA_RESTART}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGPIPE, {0x804cb30, [PIPE], SA_RESTART}, {SIG_DFL, [], 0}, 8) = 0 stat64("/home/wbaker/.Xauthority-c", 0xbff23280) = -1 ENOENT (No such file or directory) open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 open("/home/wbaker/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 nanosleep({2, 0}, 0xbff232c8) = 0 write(2, "/usr/bin/xauth: timeout in lock"..., 76/usr/bin/xauth: timeout in locking authority file /home/wbaker/.Xauthority ) = 76 exit_group(1) = ? [root ~]# tail /var/log/audit/audit.log type=AVC msg=audit(1326209990.489:3382): avc: denied { write } for pid=29664 comm="xauth" name="wbaker" dev=dm-3 ino=1835009 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1326209990.489:3382): arch=40000003 syscall=5 success=no exit=-13 a0=bff2335a a1=c1 a2=180 a3=5 items=0 ppid=29663 pid=29664 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=240 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1326209992.498:3383): avc: denied { write } for pid=29664 comm="xauth" name="wbaker" dev=dm-3 ino=1835009 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1326209992.498:3383): arch=40000003 syscall=5 success=no exit=-13 a0=bff2335a a1=c1 a2=180 a3=4 items=0 ppid=29663 pid=29664 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=240 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1326209994.506:3384): avc: denied { write } for pid=29664 comm="xauth" name="wbaker" dev=dm-3 ino=1835009 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1326209994.506:3384): arch=40000003 syscall=5 success=no exit=-13 a0=bff2335a a1=c1 a2=180 a3=3 items=0 ppid=29663 pid=29664 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=240 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1326209996.516:3385): avc: denied { write } for pid=29664 comm="xauth" name="wbaker" dev=dm-3 ino=1835009 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1326209996.516:3385): arch=40000003 syscall=5 success=no exit=-13 a0=bff2335a a1=c1 a2=180 a3=2 items=0 ppid=29663 pid=29664 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=240 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1326209998.521:3386): avc: denied { write } for pid=29664 comm="xauth" name="wbaker" dev=dm-3 ino=1835009 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1326209998.521:3386): arch=40000003 syscall=5 success=no exit=-13 a0=bff2335a a1=c1 a2=180 a3=1 items=0 ppid=29663 pid=29664 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=240 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
Fix / workaround (login with -Y to exhibit the problem) $ ssh -Y -A rawhide.local Last login: Tue Jan 24 08:26:38 2012 from somewhere.fedora.local /usr/bin/xauth: timeout in locking authority file /home/wbaker/.Xauthority -bash-4.2$ /sbin/restorecon -v -v /home/wbaker/.Xauthority -bash-4.2$ /sbin/restorecon -v -v -R /home/wbaker/ /sbin/restorecon reset /home/wbaker context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0 /sbin/restorecon reset /home/wbaker/.bash_history context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0 /sbin/restorecon reset /home/wbaker/.f context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0 /sbin/restorecon reset /home/wbaker/.lesshst context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0 $ exit separately $ ssh -Y -A rawhide.local -bash-4.2$ -bash-4.2$ exit Happy.
I'm having this problem too with Fedora 17, but the fix/workaround does not seem to help.
Running this did solve the problem for me however: # setsebool -P use_nfs_home_dirs 1
I'm having this problem with EL-6.3. It seems that the problem is in GDM (as usual ;-)). While sshd-invoked xauth tries to access ~USER/.Xauthority, the "true" location is /var/run/gdm/auth-for-USER-someRandomString/database. And that location is specified in XAUTHORITY, which is probably set by GDM. Note 1: my shell is /bin/zsh, if that matters. Note 2: probably switching SElinux off would help, but having MULTIPLE Xauthority files looks insane. P.S. GDM becomes more and more stupid, trying to re-implement much of traditional *nix/X11 functionality by itself (and ignoring commonly-accepted practices, being totally unconfigurable).
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.