Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 59112 - kdesu in kde 3.2.3, refuses to accept root password
Summary: kdesu in kde 3.2.3, refuses to accept root password
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] KDE (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo KDE team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-01 17:45 UTC by K. Posern
Modified: 2004-08-06 15:30 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description K. Posern 2004-08-01 17:45:21 UTC 
I don't know, if it is my pam.d/su config ...

But "su -" in xterm window works.

And login as root on kdm also.

The user who tries kdesu is NOT in the wheel group, BUT its name is in a single line in the "/etc/security/suauth.allow" file.

---

So maybe it can help: My /etc/pam.d/su config file:

#%PAM-1.0

auth       sufficient   /lib/security/pam_rootok.so

# If you want to restrict users begin allowed to su even more,
# create /etc/security/suauth.allow (or to that matter) that is only
# writable by root, and add users that are allowed to su to that
# file, one per line.
auth       required     /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow

# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth       sufficient   /lib/security/pam_wheel.so use_uid trust

# Alternatively to above, you can implement a list of users that do
# not need to supply a passwd with a list.
#auth       sufficient   /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass

# Comment this to allow any user, even those not in the 'wheel'
# group to su
auth       required     /lib/security/pam_wheel.so use_uid

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_xauth.so



Reproducible: Always
Steps to Reproduce:
1.kdesu ls
2.
3.

Actual Results:  
Incorrect password, please try again!
And an log entry in /var/log/messages:
Aug  2 02:43:07 jolie su[21523]: pam_authenticate: Permission denied


Expected Results:  
the directory as root... ;-)

Portage 2.0.50-r9 (default-x86-2004.0, gcc-3.3.3, glibc-2.3.3.20040420-r0,
2.6.7-gentoo-r11)
=================================================================
System uname: 2.6.7-gentoo-r11 i686 Intel(R) Pentium(R) 4 CPU 2.53GHz
Gentoo Base System version 1.4.16
Autoconf: sys-devel/autoconf-2.59-r3
Automake: sys-devel/automake-1.8.3
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=pentium4 -pipe -fomit-frame-pointer -O3"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config
/usr/kde/3.2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref
/usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/init.d /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium4 -pipe -fomit-frame-pointer -O3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="
     http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/     
ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo
     http://212.219.247.11/sites/www.ibiblio.org/gentoo/
     http://212.219.247.12/sites/www.ibiblio.org/gentoo/
"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X aac aalib acl acpi acpi4linux aim alsa amd apache2 apm arts audiofile avi
berkdb bonobo cdr crypt cups dga directfb divx4linux dv dvd dvdr emacs emacs-w3
encode esd ethereal faac faad fam fax fbcon ffmpeg firebird flac foomaticdb gb
gdbm geoip ggi gif gimp gimpprint gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml
guile hbci icq imagemagick imap imlib ipv6 jabber jack java jce jikes jp2 jpeg
kde kerberos ladcca lcms libcaca libg++ libsamplerate libwww lirc live mad
maildir matroska matrox memlimit mikmod mldonkeypango mmx motif mozdomi mozilla
mozxmlterm mpeg mpeg4 mplayer msn mysql nas ncurses nls ntlm odbc ofx oggvorbis
opengl oscar oss pam pcap pcre pdflib perl php png posix postgres ppds pthreads
python qt quicktime readline ruby samba scanner sdl silc slang speex spell spl
sqlite sse ssl svga tcltk tcpd tetex theora tiff transcode truetype unicode usb
v4l v4l2 videos wmf x86 xemacs xml xml2 xmms xosd xprint xv xvid yahoo yv12 zlib
zvbi"
Comment 1 Gregorio Guidi (RETIRED) gentoo-dev 2004-08-02 07:55:19 UTC 
your pam.d/su file says that you have to be listed in suauth.allow

	auth       required     /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow

_and_ be a member of the wheel group

	auth       required     /lib/security/pam_wheel.so use_uid

"su -" should also fail for you, I don't know why it succeeds (it fails here 
with the same configuration as you).
Try comment out the second entry and see if it works.
Comment 2 K. Posern 2004-08-03 09:50:20 UTC 
Thnx for your answer!

When I put myself (user me) in the wheel group --> then it works!

BUT as you said:
"su -" should also fail for you, I don't know why it succeeds (it fails here 
with the same configuration as you).
Try comment out the second entry and see if it works.

This should NOT work, but I removed myself from the wheel group (as you will see below) and a "su -" in an konsole (executes bash -l) WORKS!! (dont ask me why):

me@jolie ~ $ groups
root lp mail audio video apache mine
me@jolie ~ $ su -
root's password:
/etc/profile
    >>> terminal type is 'xterm' <<<
    Executing GLOBAL autoexec.GLOBAL...
    done
    Executing HOST specific autoexec.jolie...
    done
jolie ~ # exit
logout
me@jolie ~ $ ksu root
WARNING: Your password may be exposed if you enter it here and are logged
         in remotely using an unsecure (non-encrypted) channel.
Kerberos password for root@EXAMPLE.COM: :
No password given
Authentication failed.
me@jolie ~ $ ksu root ls
Usage: ksu [target user] [-n principal] [-c source cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]
me@jolie ~ $ ksu root -e ls
account root: authorization failed
me@jolie ~ $


You think I should open a NEW bug for pam.d (or su)???
Comment 3 Gregorio Guidi (RETIRED) gentoo-dev 2004-08-04 02:47:11 UTC 
The part about ksu is not relevant, it has nothing to do with kdesu!

Anyway, maybe you removed the 'wheel' group from /etc/group, in that
case pam_wheel will check against the 'root' group, and you're member
of that group.
Comment 4 K. Posern 2004-08-04 09:50:24 UTC 
ksu... hmmm... ooopsi  :-)   (it was late;-)

No, for sure I didn't remove wheel... because either I added ",me" behind "root" or I removed it - not more...

???
Comment 5 K. Posern 2004-08-06 15:30:43 UTC 
What confused me was that it worked for su in any shell WITHOUT being in group wheel! --> I didn't think that it is necessary to be in group wheel...

But as it works when I am in the wheel group (as it should how I know now) --> no bug in kdesu (, but maybe in su...)