Hi, It appears as though pam has the path /usr/X11R6/bin/xauth built into the binary directly. However as Spyderous noted this path is being phased out with the modular Xorg builds, and as such may not be present on newer systems. Since X11R6 has been a symlink for quite a while, it would probably be best to convert this over to the correct path of /usr/bin/xauth. Reproducible: Always Steps to Reproduce: 1. Remove the symlink for /usr/X11R6 2. Su to root, by running "su -" 3. Attempt to run an X program Actual Results: Can't connect to display. Expected Results: X program runs Portage 2.0.53_rc7 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r3, 2.6.14 i686) ================================================================= System uname: 2.6.14 i686 Intel(R) Pentium(R) M processor 1400MHz Gentoo Base System version 1.12.0_pre9 ccache version 2.4 [enabled] dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.13 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=pentium4 -march=pentium4 -O3 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-mtune=pentium4 -march=pentium4 -O3 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache cvs distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/overlays/personal" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 GAPING_SECURITY_HOLE X aalib acl acpi adns alsa animation avi bash-completion berkdb bitmap-fonts bluetooth boundschecking browserplugin cairo cdr crypt cups dbus dlloader dri dvb dvd eds emboss encode flac foomaticdb fortran freetds gd gdbm gif glitz gnome gps gstreamer gtk gtk2 gtkhtml hal hardened imagemagick ipv6 java john jpeg junit ldap libg++ libwww mad madwifi mailwrapper mikmod mmx motif mozilla mp3 mpeg mscash mssql mysql ncurses nls nptl nptlonly ntlm ogg oggvorbis opengl pam pcmcia pdflib pic pie plot png postgres pylibpcap python quicktime readline samba sasl sdl slang slp smux snmp sox spell sse sse2 ssl svg tcpd tetex theora threads tiff truetype truetype-fonts type1-fonts udev usb vorbis win32codecs xine xml2 xprint xv xvid zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
I found out that this can be altered in the /etc/pam.d files, I have three installed on my system that would require it. They are gdmconfig, gdmsetup and su. I'm not entirely sure how this should be bandled, but as far as I'm aware xauth has been physically installed into /usr/bin/xauth for quite a while (with an X11R6 symlink handling the discrepancy). If this is the case, it should be safe to include this in the default installation. At the very list an ewarn could be added to tell people the problems they'll face...
I don't have or see this in pam-0.78-r3 what version of pam are you looking at?
I'm now using pam 0.78-r3. I'm not certain what version I was using when I first reported this. It is, however, still reproducable if you follow the steps listed in the bug. If the /etc/pam.d/su file just mentions the xauth.so file without parameters afterwards, and there is no /usr/X11R6 symlink then when pam attempts to run xauth it will fail (since xauth is installed into /usr/bin/xauth rather than /usr/X11R6/bin/xauth, which is hardwired into pam). So after running su, attempting to run a program that relies on X (such as gedit) will fail because it doesn't have the xauthority to connect to the running display. Please note that pam itself (which provides the xauth.so module) has /usr/X11R6/bin hard-wired, and su, gdmsetup and gdmconfig are provided by the shadow and gdm packages respectively. So it appears the best solution would be a patch to pam to change the default paths for xauth. I'll be attaching a patch so you can see exactly what I think needs changing. If there's any further clarification I can provide, please just let me know...
Created attachment 78055 [details, diff] Patch to alter the default location of the xauth binary in pam-0.78
Every X in the tree right now installs to /usr, so this should be safe.
Added in -r4.
