Description of problem: PAM doesn't understand X authentication. Version-Release number of selected component (if applicable): 0.75-40 How reproducible: Every time. Steps to Reproduce: $ echo $DISPLAY :0 $ echo $XAUTHORITY /home/rjt/.Xauthority $ xauth nlist 0100 <snip!> 5461 $ su -l Password: # echo $DISPLAY :0 # echo $XAUTHORITY /root/.xauthBhkWTM # xauth nlist 0100 <snip! same as before> 5461 # xterm # works fine # su -l notroot $ echo $DISPLAY :0 $ echo $XAUTHORITY /root/.xauthBhkWTM $ xauth nlist # hangs (for obvious reasons) $ xterm Xlib: connection to ":0.0" refused by server Xlib: No protocol specified xterm Xt error: Can't open display: :0 $ su -l rjt Password: $ echo $DISPLAY :0 $ echo $XAUTHORITY /root/.xauthBhkWTM Actual results: see above Expected results: XAUTHORITY should always be either unset or $HOME/.Xauthority (the default) Additional info: there appears to be no reason to set root's XAUTHORITY to a temp-file, with the (untested but strongly suspected) result that root can only easily access one cookie at a time. but for non-root users (non-system users?), XAUTHORITY is erroneously passed all the way through to the target user, with the result that the target user tries to use another account's .Xauthority file. in fact, it seems to be almost an accident that the common case (su root, only need access to one cooke) works at all...
any update?
The XAUTHORITY environment variable isn't being changed by default when you drop from root to an unprivileged user due to the change in RHSA-2003:035 -- the display cookie isn't being forwarded, and the environment variable remains untouched. Whether it should be cleared, I couldn't say for certain, but placing "notroot" in root's .xauth/export file will cause the cookie to be manipulated, as it was before. Marking as fixed in the current release.