After updating to KDE5 I found that using su on any terminal (konsole and xterm tested) to start a root session would take a long time. That is not the problem when using a TTY console though. Some testing led me to find that the issue depended at the very least on the XAUTHORITY and DISPLAY environment variables being set when running the su command to start the root session. This variables weren't set on KDE4 and thus the issue didn't surface until the update. A more in depth testing showed that disabling pam_xauth when those variables were set also fixed the issue. After testing around with pam_xauth I have managed to figure out the following: * mktemp will generate a temporary dir in /tmp/.private/username such directory will be owned by root and the user's group and have 770 permissions (along with the sticking flag and the a attribute on the parent). * The xauth cookie is then stored on "/tmp/.private/username/xauth-userid-_0" and the XAUTHORITY variable updated accordingly. * When running su pam_xauth will then try to run xauth to extract the coookie from the above path, but since it will run xauth with the GID of the root user xauth is unable to lock the file and eventually times out without returning anything. When xauth times out the module returns an error but the login process succeeds. * The reason why xauth fails and eventually gives up is because the /tmp/.private/username/ folder has a missmatch with the privileges of the xauth processes (as neither owner nor group match in that case). The best solution would be fixing mod_xauth so that it would use the right GID although I'm unsure if this is possible.
As I think this is a PAM issue I'm assigning it to the PAM team. KDE team I'm CCing you in case users come asking about the issue a simple workaround is commenting the following line on /etc/pam.d/su session optional pam_xauth.so This workaround may of course cause issues as it would be impossible to run X applications after running su.
This pretty much breaks kdesu and anything that uses it.
Easier workaround is setting XAUTHORITY=~/.Xauthority
*** Bug 594050 has been marked as a duplicate of this bug. ***
Created attachment 461836 [details, diff] Make pam_xauth use the values from pam_modutil_getpwuid instead of getuid and getgid Having some time I have written a patch which solves the issue by avoiding using getgid. It does work flawlessly on my system. @pam team I'll submit this one to mainstream. In the meantime, can you consider adding this to the next revision?
was this finally forwarded to upstream?
Hi and sorry for the delay. This was sent, I forgot to bring this back up on here. https://github.com/linux-pam/linux-pam/pull/3#issuecomment-275949032 Lo siento Pacho :(
Zlogene, since you are the only pam maintainer and the pam project is being disbanded I'm assigning this one to you.
Closing as wontfix as upstream sees problem in shadow, not in pam (and also closed their bug).
