71094 – pam-0.77-r1 and XAUTHORITY trouble

Bug 71094 - pam-0.77-r1 and XAUTHORITY trouble

Summary: pam-0.77-r1 and XAUTHORITY trouble

Status:	RESOLVED NEEDINFO

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	x86 Linux

Importance:	High major
Assignee:	PAM Gentoo Team (OBSOLETE)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-11-13 14:50 UTC by Martin Gramatke
Modified:	2004-11-29 12:34 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Gramatke 2004-11-13 14:50:38 UTC

Since emerge of pam-0.77-r1, remote X is no longer possible.
I found this in the log files:
Nov 13 23:19:11 [PAM-env] Unknown PAM_ITEM: <XAUTHORITY>
Nov 13 23:19:11 [.or] PAM pam_putenv: delete non-existent entry; XAUTHORITY

There seems to be a workaround or solution, please check:
http://forums.gentoo.org/viewtopic.php?t=249744


Reproducible: Always
Steps to Reproduce:
1. emerge -uDpv world ;-)
2.
3.

Actual Results:  
 


Portage 2.0.51-r3 (default-linux/x86/2004.0, gcc-3.3.4, glibc-2.3.3.20040420-r2, 
2.6.9-gentoo-r1 i686) 
================================================================= 
System uname: 2.6.9-gentoo-r1 i686 Pentium III (Coppermine) 
Gentoo Base System version 1.4.16 
Autoconf: sys-devel/autoconf-2.59-r5 
Automake: sys-devel/automake-1.8.5-r1 
Binutils: sys-devel/binutils-2.14.90.0.8-r1 
Headers:  sys-kernel/linux26-headers-2.6.8.1 
Libtools: sys-devel/libtool-1.5.2-r5 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CFLAGS="-march=pentium3 -O3 -pipe" 
CHOST="i686-pc-linux-gnu" 
COMPILER="" 
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" 
CXXFLAGS="-march=pentium3 -O3 -pipe" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoaddcvs ccache distlocks sandbox sfperms" 
GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ 
ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ http://www.gigaload.org/gentoo.org/ 
http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" 
MAKEOPTS="-j2" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
PORTDIR_OVERLAY="" 
SYNC="rsync://rsync16.de.gentoo.org/gentoo-merged" 
USE="X aalib alsa apache2 apm arts avi berkdb bitmap-fonts cdr crypt cscope 
cups doc dvb dvd dvdr encode esd f77 fam flac foomaticdb fortran gdbm gif 
gphoto2 gpm gtk gtk2 imagemagick imlib java jpeg kde libg++ libwww mad maildir 
mikmod mmx motif mpeg ncurses nls oggvorbis opengl pam pdflib perl png ppds 
python qt quicktime readline samba scanner sdl slang spell sse ssl svga tcltk tcpd 
tetex tiff truetype usb x86 xine xml2 xmms xv zlib linguas_de"

Comment 1 Luke Macken (RETIRED) gentoo-dev

2004-11-13 14:54:24 UTC

This is not a security issue, re-assigning to pam herd.

Comment 2 SpanKY gentoo-dev

2004-11-13 15:01:22 UTC

try with 0.77-r3

Comment 3 Martin Gramatke 2004-11-14 09:49:10 UTC

Same problem with 0.77-r3. Sorry.

Comment 4 Jim Tupper 2004-11-14 14:49:23 UTC

I fear the core problem and scope of the issue is missing from the description here.
Thankfully, I've started using dispatch-conf on one of my systems and it told the whole story.

The issue _is_ with the upgrade to pam. In the previous file /etc/security/pam_env.conf, there was a whole bunch of comments and examples but no actual code. In the upgraded config, there's three lines setting DISPLAY, REMOTEHOST and XAUTHORITY variables. I can't work out what they're for or why they're needed, but KDM for one cannot log-in on anything but screen :0.0 when these options are set.

Put simply, these config options bork having >1 graphical VT, as well as the famous VNC terminal server for the forum's howto (both are features which I personally use extensively on 4 machines). They may well bork other things as well, but it's fairly clear that it's just not a good thing.

When I was testing, xdm didn't have the problem, but then I could only log-in as root (the LDAP login's weren't working - does xdm use pam? side issue, I'm not really interested). I didn't test gdm as I've found a full workaround.

Since the original file had these lines commented, I'm guessing there's no side effects to just commenting them out again.

Cheers.

Comment 5 Eric Brown 2004-11-16 04:43:41 UTC

i have those log entries on all of my gentoo boxes at this point.
they happen whenever i su i think.

Comment 6 Yi S. Ding 2004-11-17 21:17:00 UTC

This bug is due to changes made for bug 69925 in pam_env.conf.  The changes were incorrect because 1) XAUTHORITY is not recognized as a PAM variable by PAM_ENV (look at the pam_env.c code if you don't believe me), and 2)

REMOTEHOST	DEFAULT= OVERRIDE=@{PAM_RHOST}

should be

REMOTEHOST	DEFAULT=localhost OVERRIDE=@{PAM_RHOST}

Otherwise, the line

DISPLAY		DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

will produce an error saying REMOTEHOST is an invalid variable.  Unfortunately, both this bug and bug 69925 should be reopened, because the fix is incorrect and does not even resolve the problem stated in 69925.

Comment 7 J. Alexander Treuman 2004-11-26 17:00:42 UTC

This is a duplicate of bug 70585 (and is an issue with DISPLAY, not XAUTHORITY).