|
Bugzilla – Full Text Bug Listing |
| Summary: | pam_xauth as well as pam_unix do not work with sudoers pam support | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Werner <werner> |
| Component: | Sudoers | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | low | ||
| Version: | 1.9.2 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| URL: | https://bugzilla.opensuse.org/show_bug.cgi?id=1174593 | ||
| Attachments: | dirty-hack.patch | ||
|
Description
Werner
2020-11-05 05:11:56 MST
Created attachment 546 [details]
dirty-hack.patch
This little dirty hack shows that it could work correct
sudo[1260]: PAM unable to resolve symbol: pam_sm_setcred
sudo[1260]: werner : TTY=pts/2 ; PWD=/usr/src/werner/sudo ; USER=root ; COMMAND=/bin/bash
sudo[1260]: pam_kwallet5(sudo-i:setcred): (null): pam_sm_setcred
sudo[1260]: pam_systemd(sudo-i:session): pam-systemd initializing
sudo[1260]: pam_systemd(sudo-i:session): Asking logind to create session: uid=0 pid=1260 service=sudo-i type=tty class=user desktop= seat= vtnr=0 tty=pts/2 display= remote=no remote_user=werner remote_host=
sudo[1260]: pam_systemd(sudo-i:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a runtime_max_sec=n/a
sudo[1260]: pam_systemd(sudo-i:session): Not creating session: Already running in a session or user slice
sudo[1260]: pam_unix(sudo-i:session): session opened for user root(uid=0) by werner(uid=223)
sudo[1260]: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/223/keyring/control
sudo[1260]: gkr-pam: couldn't unlock the login keyring.
sudo[1260]: pam_kwallet5(sudo-i:session): (null): pam_sm_open_session
sudo[1260]: pam_kwallet5(sudo-i:session): pam_kwallet5: open_session called without kwallet5_key
sudo[1260]: pam_xauth(sudo-i:session): requesting user 223/50, target user 0/0
sudo[1260]: pam_xauth(sudo-i:session): /suse/werner/.xauth/export does not exist, ignoring
sudo[1260]: pam_xauth(sudo-i:session): /root/.xauth/import does not exist, ignoring
sudo[1260]: pam_xauth(sudo-i:session): reading keys from `/suse/werner/.Xauthority'
sudo[1260]: pam_xauth(sudo-i:session): running "/usr/bin/xauth -f /suse/werner/.Xauthority nlist :3" as 223/0
sudo[1260]: pam_xauth(sudo-i:session): writing key `<key_deleted>
sudo[1260]: pam_xauth(sudo-i:session): running "/usr/bin/xauth -f /root/.xauthrhRUwr nmerge -" as 0/0
Can you check whether commenting out the following block in sudo.c instead also works?
/* Become full root (not just setuid) so user cannot kill us. */
if (setuid(ROOT_UID) == -1)
sudo_warn("setuid(%d)", ROOT_UID);
Modern OSes don't let the user kill setuid processes so this is probably no longer needed and should allow pam_xauth to function.
Indeed disabling the hard setuid(2) also avoids that both the real and effective uid become 0 sudo[26343]: pam_unix(sudo-i:session): session opened for user root(uid=0) by werner(uid=223) sudo[26343]: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/223/keyring/control sudo[26343]: gkr-pam: couldn't unlock the login keyring. sudo[26343]: pam_kwallet5(sudo-i:session): (null): pam_sm_open_session sudo[26343]: pam_kwallet5(sudo-i:session): pam_kwallet5: open_session called without kwallet5_key sudo[26343]: pam_xauth(sudo-i:session): requesting user 223/50, target user 0/0 sudo[26343]: pam_xauth(sudo-i:session): /suse/werner/.xauth/export does not exist, ignoring sudo[26343]: pam_xauth(sudo-i:session): /root/.xauth/import does not exist, ignoring sudo[26343]: pam_xauth(sudo-i:session): reading keys from `/suse/werner/.Xauthority' sudo[26343]: pam_xauth(sudo-i:session): running "/usr/bin/xauth -f /suse/werner/.Xauthority nlist :3" as 223/0 sudo[26343]: pam_xauth(sudo-i:session): writing key `<deleted_key> sudo[26343]: pam_xauth(sudo-i:session): running "/usr/bin/xauth -f /root/.xauthkGJt96 nmerge -" as 0/0 abuild@noether:~/rpmbuild/BUILD/sudo-1.9.2> grep HAVE_SETRESUID config.h #define HAVE_SETRESUID 1 Thanks a lot! Fixed in sudo 1.9.4 |