Bug#235804: Re[2]: Bug#235804: gksu: problem with pam_wheel.so trust

Gustavo Noronha Silva Gustavo Noronha Silva <kov@debian.org>, 235804@bugs.debian.org
Wed, 14 Apr 2004 23:22:47 -0300 

Em Qua, 2004-04-14 =C3=A0s 21:22 -0400, Edward J. Shornock escreveu:

> Actually, with this line in /etc/pam.d/su:
>           auth       sufficient pam_wheel.so trust group=3Dwheel debug
> There should not be a password prompt at all.  When someone in the
> group wheel types su, they immediately switch to user root, as the
> following shows:
>           [eshornoc@darkside:~]$ su -
>           darkside:~#

Right.

> GNS> * run gksu and cancel the dialog
>=20
> This has been done as well, and I'm sorry I had not done this last
> night. It appears that after running gksu as my username (with
> pam_wheel.so trust configured, and using the command-line of "gksu
> synaptic"), I see the following when running "tail -f
> /var/log/auth.log":
>=20
>    Apr 14 20:53:08 darkside PAM-Wheel[28984]: Access granted to 'eshornoc=
' for 'root'
>    Apr 14 20:53:08 darkside su[28984]: + pts/135 eshornoc:root
>=20
> After that entry is logged, the password prompt from gksu is
> displayed. The problem is, I've already been granted root's rights,
> and synaptic should be run. Output from ps shows:
>=20
> darkside:~# ps -fp 30393
> UID        PID  PPID  C STIME TTY          TIME CMD
> root     30393 30388  0 21:02 pts/137  00:00:00 /usr/lib/gksu/gksu-run-he=
lper synaptic
> darkside:~# ps -fp 30388
> UID        PID  PPID  C STIME TTY          TIME CMD
> eshornoc 30388 28918  0 21:02 pts/132  00:00:00 gksu synaptic
>=20
> After hitting the cancel button, the gksu processes terminate.

What about the gksu-run-helper one? Maybe it is going to be terminated
too, because it is gksu's child... hmm... right, this is weird. Let's
see, try running:

$ gksu -g synaptic=20

And wait to see if synaptic appears. My guess is gksu is grabing the X
server thus not leting synaptic start and, then, after a failure on
giving the password and/or canceling, gksu dies and gksu-run-helper goes
altogether.

> darkside:~# ps aux |grep -w gksu|grep -v grep
> eshornoc 30388  7.0  0.6 11176 5744 pts/132  S+   21:06   0:00 gksu synap=
tic
> root     30393  0.3  0.0  1904  440 pts/139  Ss+  21:06   0:00 /usr/lib/g=
ksu/gksu-run-helper synaptic
> darkside:~# ps aux |grep -w su |grep -v grep
> root     18449  0.0  0.1  4832 1684 pts/123  S    10:32   0:00 -su
> root     29441  0.0  0.1  4568 1684 pts/122  S    20:57   0:00 -su

A 'pstree' would be in order to know where are these 'su' coming from.
Also, if the above does not work (the -g thing), it would be nice to
have the output of 'env' when you do a 'su' (not adding a '-') with
pam_wheel to see if it mangles the environment. Check you're not sending
sensitive information on variables, though =3D).

> So, the problem I reported really *IS* the same as the originally
> reported bug, and not a separate issue as it had originally appeared.

Right, it seems like you're right, now let's try to kill this bug! =3D)

> No problem, I'm glad to be able to help make a great distribution of
> Linux even better. =3D)

Yeah, me too! =3DD


--=20
Gustavo Noronha [http://people.debian.org/~kov/]