Users that upgraded to shadow-4.0.5 can't use X applications when 'su -'ing to root. I used this code in my root .profile to allow the use of X-applications: if [ -r /var/run/console.lock ] then su `cat /var/run/console.lock` -c "/usr/X11R6/bin/xauth extract - $DISPLAY"|xaut h merge - fi With shadow-4.0.5 the error always is: /usr/X11R6/bin/xauth: (argv):1: bad "extract" command line xauth: (argv):1: unable to read any entries from file "(stdin)" A downgrade to shadow-4.0.4.1-r4 solved the problem so far. Reproducible: Always Steps to Reproduce:
There is also a thread in the gentoo forums http://forums.gentoo.org/viewtopic.php?p=1720367#1720367 (sorry that I forgot it in the first place)
And there is also Bug 69895 and Bug 69781 and I don
And there is also Bug 69895 and Bug 69781 and I don´t really see why this version is marked stable. :-(
And Bug 69932 (and another two already fixed). Would someone be so kind and mark the bug infested version as unstable as soon as possible? Also I would recommend to raise the priority way above normal. It does not fix any vulnerability anyway b/c people are not able to install it. :-(
looks like it's due to the XAUTHORITY env var not being passed on to the new session iirc this has come up before, lemme track it down and release 4.0.5-r2
actually, i lied ... this is NOTABUG i looked back through some correspondence between upstream shadow maintainer and us Gentoo devs and this is the correct behavior from the ChangeLog: * NEWS, src/su.c: add pam_open_session() support. If builded without PAM support propagate $DISPLAY and $XAUTHORITY enviroment variables. notice that if PAM is enabled, DISPLAY/XAUTHORITY are not propogated ... you're supposed to setup the propogation of these vars yourself (gasp!) via pam_xauth so, what i will do in the meantime (because 4.0.5 was forced into stable due to SECURITY ISSUES), i'll restore the backwards-compat behavior in 4.0.5-r2 come next unstable release though, this hack will be removed and we will start forcing users to do The Right Thing (tm)
It seems that "The Right Thing" is broken in gentoo, though. Have line "session required /lib/security/pam_xauth.so" in /etc/pam.d/su but it makes no difference.
No, its not pam_xauth that is needed (the hack is needed for pam_xauth to work properly), but pam_env according to the current shadow maintainer. I have tried this local, but does not work for me. I have contacted him again, so will have to wait. Mike, please leave the hack until I get back to you.
Ok, with these it should be fixed again: -------- # epm -q pam shadow pam-0.77-r3 shadow-4.0.5-r3 -------- Just make sure you have merged the changes in /etc/pam.d/su and /etc/security/pam_env.conf ...
.
upgrading to the latest r3 variants of pam and shadow does NOT fix this problem for remote X11 forwarding.
Still experiencing this. Just trying: su - xlogo sits there forever. This for every user (but the current one, of course).
Yep. Not only did the fix not do what it was supposed to, it also added a bunch of errors: The changes were incorrect because 1) XAUTHORITY is not recognized as a PAM variable by PAM_ENV (look at the pam_env.c code if you don't believe me), and 2) REMOTEHOST DEFAULT= OVERRIDE=@{PAM_RHOST} should be REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} Otherwise, the line DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} will produce an error saying REMOTEHOST is an invalid variable. This bug should be reopened.
Same problem here. See also http://forums.gentoo.org/viewtopic.php?t=255675.
Ding is right - this bug needs to be reopened... Also confirmed that Ding's fix works.
This should be fixed in 4.0.5-r3 by shadow-4.0.5-fix-adding-of-pam_env-set-env-vars.patch, which is applied upstream in 4.0.6. I'm running that now and XAUTHORITY does get set properly by pam_xauth. Not sure if the script in the initial submission works, but with pam_xauth you shouldn't need it anyway. Unfortunately, the "fixes" applied in pam_env.conf are still breaking things and never actually helped. For that, see bug 70585.
Sorry, I didn't test before commenting, and it turns out I'm wrong. Using su works now, but su - is still broken. Looking at the source I can't figure out why. su makes a point of saving XAUTHORITY and DISPLAY when using -, but for some reason only XAUTHORITY (which pam_xauth sets) makes it through, while DISPLAY (which is just inherited from the original environment) magically disappears. If not using pam_xauth, neither make it. This could also be fixed in pam_xauth by setting both itself.
> Using su works now, but su - is still broken. No, "su" doesn't work for me. "su -" still doesn't too. Is it a shadow or PAM issue, at last?
Could someone plz. reopen this annoying bug? It is NOT fixed!