Bug#235804: Re[3]: Bug#235804: gksu: problem with pam_wheel.so trust

Edward J. Shornock "Edward J. Shornock" <eshornoc@comcast.net>, 235804@bugs.debian.org
Thu, 15 Apr 2004 02:05:40 -0400


Wed, 14 Apr 2004 23:22:50 -0300, Gustavo Noronha Silva wrote:

GNS> Em Qua, 2004-04-14 =E0s 21:22 -0400, Edward J. Shornock escreveu:

=5B...=5D
GNS> What about the gksu-run-helper one? Maybe it is going to be terminat=
ed
GNS> too, because it is gksu's child... hmm... right, this is weird. Let'=
s
GNS> see, try running:

GNS> =24 gksu -g synaptic



GNS> And wait to see if synaptic appears. My guess is gksu is grabing the=
 X
GNS> server thus not leting synaptic start and, then, after a failure on
GNS> giving the password and/or canceling, gksu dies and gksu-run-helper =
goes
GNS> altogether.

Results of =22gksu -g synaptic=22 in /var/log/auth.log (before entering a=
 password):

Apr 15 01:22:31 darkside PAM-Wheel=5B13652=5D: Access granted to 'eshorno=
c' for 'root'
Apr 15 01:22:31 darkside su=5B13652=5D: + pts/155 eshornoc:root
Apr 15 01:22:31 darkside su=5B13652=5D: (pam_unix) session opened for use=
r root by (uid=3D1000)

Then I got the password prompt.  Before entering the password, pstree sho=
ws:
 =7C-kdeinit-+-3*=5Bkdeinit=5D
     =7C         =60-kdeinit---bash---gksu---gksu-run-helper


     =

After entering the password, gksu hangs.  Nothing new is outputted to /va=
r/log/auth.log.
pstree shows: =

=7C-kdeinit-+-3*=5Bkdeinit=5D
     =7C         =60-kdeinit---bash---gksu---gksu-run-helper

darkside:=7E=23 ps aux =7Cgrep gksu =7Cgrep -v grep
eshornoc 13647  0.1  0.6 11176 5856 pts/152  S+   01:22   0:00 gksu -g sy=
naptic
root     13652  0.0  0.0  1904  440 pts/155  Ss+  01:22   0:00 /usr/lib/g=
ksu/gksu-run-helper synaptic



An strace of the gksu process shows (until I CTRL+C the trace):
select(5, =5B4=5D, NULL, NULL, =7B0, 100=7D)    =3D 0 (Timeout)
waitpid(13652, 0xbffff6ac, WNOHANG)     =3D 0
select(5, =5B4=5D, NULL, NULL, =7B0, 100=7D)    =3D 0 (Timeout)
waitpid(13652, 0xbffff6ac, WNOHANG)     =3D 0
select(5, =5B4=5D, NULL, NULL, =7B0, 100=7D)    =3D 0 (Timeout)
waitpid(13652, 0xbffff6ac, WNOHANG)     =3D 0
select(5, =5B4=5D, NULL, NULL, =7B0, 100=7D)    =3D 0 (Timeout)
waitpid(13652, 0xbffff6ac, WNOHANG)     =3D 0
select(5, =5B4=5D, NULL, NULL, =7B0, 100=7D)    =3D 0 (Timeout)
waitpid(13652, 0xbffff6ac, WNOHANG)     =3D 0
select(5, =5B4=5D, NULL, NULL, =7B0, 100=7D)    =3D 0 (Timeout)
waitpid(13652,  <unfinished ...>
Process 13647 detached


An strace of the gksu-run-helper process shows:
darkside:=7E=23 strace -p 13652
Process 13652 attached - interrupt to quit
read(0,

GNS> Also, if the above does not work (the -g thing), it would be nice to=

GNS> have the output of 'env' when you do a 'su' (not adding a '-') with
GNS> pam_wheel to see if it mangles the environment. Check you're not sen=
ding
GNS> sensitive information on variables, though =3D).

OK, here we go=21 Unfortunately, the variables are not mangled. :( The
variables are no different with pam_wheel.so trust enabled, or without
it.

=5Beshornoc=40darkside:=7E=5D=24 env > env.notrust
=5Beshornoc=40darkside:=7E=5D=24 su
Password:
darkside:/home/eshornoc=23 env > env.notrust.root
darkside:/home/eshornoc=23 exit
=5Beshornoc=40darkside:=7E=5D=24 env > env.trust
=5Beshornoc=40darkside:=7E=5D=24 su
darkside:/home/eshornoc=23 env > env.trust.root
darkside:/home/eshornoc=23 diff env.notrust env.trust
darkside:/home/eshornoc=23 diff env.notrust.root env.trust.root

(I could have spammed you with all the variable output, but I thought
this might be sufficient.  If you'd like me to send the variables, I
will).

>> So, the problem I reported really *IS* the same as the originally
>> reported bug, and not a separate issue as it had originally appeared.

GNS> Right, it seems like you're right, now let's try to kill this bug=21=
 =3D)

I'm all for that.  Do you have any other suggestions/ideas for me to
try?