Bugzilla – Bug 944
pam_xauth as well as pam_unix do not work with sudoers pam support
Last modified: 2020-11-30 13:24:12 MST
See from log: sudo[29649]: PAM unable to resolve symbol: pam_sm_setcred sudo[29649]: werner : TTY=pts/2 ; PWD=/suse/werner ; USER=root ; COMMAND=/bin/bash sudo[29649]: pam_kwallet5(sudo-i:setcred): (null): pam_sm_setcred sudo[29649]: pam_systemd(sudo-i:session): pam-systemd initializing sudo[29649]: pam_systemd(sudo-i:session): Asking logind to create session: uid=0 pid=29649 service=sudo-i type=tty class=user desktop= seat= vtnr=0 tty=pts/2 display= re> sudo[29649]: pam_systemd(sudo-i:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a runtime_max_sec=n/a sudo[29649]: pam_systemd(sudo-i:session): Not creating session: Already running in a session or user slice sudo[29649]: pam_unix(sudo-i:session): session opened for user root(uid=0) by werner(uid=0) sudo[29649]: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/223/keyring/control sudo[29649]: gkr-pam: couldn't unlock the login keyring. sudo[29649]: pam_kwallet5(sudo-i:session): (null): pam_sm_open_session sudo[29649]: pam_kwallet5(sudo-i:session): pam_kwallet5: open_session called without kwallet5_key sudo[29649]: pam_xauth(sudo-i:session): requesting user 0/0, target user 0/0 sudo[29649]: pam_xauth(sudo-i:session): current and target user are the same, forward X11 sudo[29649]: pam_xauth(sudo-i:session): reading keys from `/root/.Xauthority' sudo[29649]: pam_xauth(sudo-i:session): running "/usr/bin/xauth -f /root/.Xauthority nlist :3" as 0/0 noether sudo[29649]: pam_xauth(sudo-i:session): no key ... that mean that requestinf user as well as target user is root ... now compare this with su(8): su[29813]: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/223/keyring/control su[29813]: gkr-pam: couldn't unlock the login keyring. su[29813]: pam_kwallet5(su:auth): (null): pam_sm_authenticate su[29813]: (to root) werner on pts/2 su[29813]: pam_kwallet5(su:setcred): pam_kwallet5: pam_sm_setcred su[29813]: pam_systemd(su:session): pam-systemd initializing su[29813]: pam_systemd(su:session): Asking logind to create session: uid=0 pid=29813 service=su type=tty class=user desktop= seat= vtnr=0 tty=pts/2 display= remote=no remote_user=werner remote_host= su[29813]: pam_systemd(su:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a runtime_max_sec=n/a su[29813]: pam_systemd(su:session): Not creating session: Already running in a session or user slice su[29813]: pam_unix(su:session): session opened for user root(uid=0) by werner(uid=223) su[29813]: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/223/keyring/control su[29813]: gkr-pam: couldn't unlock the login keyring. su[29813]: pam_kwallet5(su:session): pam_kwallet5: pam_sm_open_session su[29817]: pam_kwallet5: final socket path: /run/user/223/kwallet5.socket su[29817]: pam_kwallet5-kwalletd: Couldn't listen in socket su[29813]: pam_kwallet5(su:session): pam_kwallet5: Couldn't fork to execv kwalletd su[29813]: pam_xauth(su:session): requesting user 223/50, target user 0/0 su[29813]: pam_xauth(su:session): /suse/werner/.xauth/export does not exist, ignoring su[29813]: pam_xauth(su:session): /root/.xauth/import does not exist, ignoring su[29813]: pam_xauth(su:session): reading keys from `/suse/werner/.Xauthority' su[29813]: pam_xauth(su:session): running "/usr/bin/xauth -f /suse/werner/.Xauthority nlist :3" as 223/50 su[29813]: pam_xauth(su:session): writing key `<deleted_key>' to temporary file `/root/.xauthmUclTx' su[29813]: pam_xauth(su:session): running "/usr/bin/xauth -f /root/.xauthmUclTx nmerge -" as 0/0 here it simply works (the Xsession cookie I've replaced with <deleted_key>)
Created attachment 546 [details] dirty-hack.patch This little dirty hack shows that it could work correct sudo[1260]: PAM unable to resolve symbol: pam_sm_setcred sudo[1260]: werner : TTY=pts/2 ; PWD=/usr/src/werner/sudo ; USER=root ; COMMAND=/bin/bash sudo[1260]: pam_kwallet5(sudo-i:setcred): (null): pam_sm_setcred sudo[1260]: pam_systemd(sudo-i:session): pam-systemd initializing sudo[1260]: pam_systemd(sudo-i:session): Asking logind to create session: uid=0 pid=1260 service=sudo-i type=tty class=user desktop= seat= vtnr=0 tty=pts/2 display= remote=no remote_user=werner remote_host= sudo[1260]: pam_systemd(sudo-i:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a runtime_max_sec=n/a sudo[1260]: pam_systemd(sudo-i:session): Not creating session: Already running in a session or user slice sudo[1260]: pam_unix(sudo-i:session): session opened for user root(uid=0) by werner(uid=223) sudo[1260]: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/223/keyring/control sudo[1260]: gkr-pam: couldn't unlock the login keyring. sudo[1260]: pam_kwallet5(sudo-i:session): (null): pam_sm_open_session sudo[1260]: pam_kwallet5(sudo-i:session): pam_kwallet5: open_session called without kwallet5_key sudo[1260]: pam_xauth(sudo-i:session): requesting user 223/50, target user 0/0 sudo[1260]: pam_xauth(sudo-i:session): /suse/werner/.xauth/export does not exist, ignoring sudo[1260]: pam_xauth(sudo-i:session): /root/.xauth/import does not exist, ignoring sudo[1260]: pam_xauth(sudo-i:session): reading keys from `/suse/werner/.Xauthority' sudo[1260]: pam_xauth(sudo-i:session): running "/usr/bin/xauth -f /suse/werner/.Xauthority nlist :3" as 223/0 sudo[1260]: pam_xauth(sudo-i:session): writing key `<key_deleted> sudo[1260]: pam_xauth(sudo-i:session): running "/usr/bin/xauth -f /root/.xauthrhRUwr nmerge -" as 0/0
Can you check whether commenting out the following block in sudo.c instead also works? /* Become full root (not just setuid) so user cannot kill us. */ if (setuid(ROOT_UID) == -1) sudo_warn("setuid(%d)", ROOT_UID); Modern OSes don't let the user kill setuid processes so this is probably no longer needed and should allow pam_xauth to function.
Indeed disabling the hard setuid(2) also avoids that both the real and effective uid become 0 sudo[26343]: pam_unix(sudo-i:session): session opened for user root(uid=0) by werner(uid=223) sudo[26343]: The gnome keyring socket is not owned with the same credentials as the user login: /run/user/223/keyring/control sudo[26343]: gkr-pam: couldn't unlock the login keyring. sudo[26343]: pam_kwallet5(sudo-i:session): (null): pam_sm_open_session sudo[26343]: pam_kwallet5(sudo-i:session): pam_kwallet5: open_session called without kwallet5_key sudo[26343]: pam_xauth(sudo-i:session): requesting user 223/50, target user 0/0 sudo[26343]: pam_xauth(sudo-i:session): /suse/werner/.xauth/export does not exist, ignoring sudo[26343]: pam_xauth(sudo-i:session): /root/.xauth/import does not exist, ignoring sudo[26343]: pam_xauth(sudo-i:session): reading keys from `/suse/werner/.Xauthority' sudo[26343]: pam_xauth(sudo-i:session): running "/usr/bin/xauth -f /suse/werner/.Xauthority nlist :3" as 223/0 sudo[26343]: pam_xauth(sudo-i:session): writing key `<deleted_key> sudo[26343]: pam_xauth(sudo-i:session): running "/usr/bin/xauth -f /root/.xauthkGJt96 nmerge -" as 0/0 abuild@noether:~/rpmbuild/BUILD/sudo-1.9.2> grep HAVE_SETRESUID config.h #define HAVE_SETRESUID 1
Fixed by https://www.sudo.ws/repos/sudo/rev/2c6fef0107c8
Thanks a lot!
Fixed in sudo 1.9.4