| View previous topic :: View next topic |
| Author |
Message |
costel78
Guru
Joined: 20 Apr 2007
Posts: 407
|
 Posted: Tue May 02, 2017 8:19 pm Post subject: [SOLVED] gentoo-sources 4.11.0 su does not work anymore |
 |
|
Today I updated my system to sys-kernel/gentoo-sources-4.11.0 and su stoped working on xorg.
Of course I am in the wheel group and password is correct. In fact, in console, su - root work flawless.
I reemerged shadow, pam.
| Code: | ls -als /bin/su
36 -rws--x--x 1 root root 36152 mai 2 23:12 /bin/su |
| Code: | cat /etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session required pam_env.so
session optional pam_xauth.so
|
I taken a look at demerge and there were rubygems php iproute2 and gentoo-sources for today.
I downgraded gentoo-sources and problem dissapear.
I need to start investigating problem. The problem is reproductible on one server with a very different kernel config.
Oh, in journalctl the error is "check pass; user unknown"
_________________
Sorry for my English. I'm still learning this language.
Last edited by costel78 on Thu Jun 15, 2017 1:59 pm; edited 1 time in total |
|
| Back to top |
|
 |
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3944
Location: Rasi, Finland
|
| Posted: Tue May 02, 2017 10:30 pm Post subject: |
|
|
Hm...
Interesting.
I'll then hold my upgrades.
Have you tried...? |
|
| Back to top |
|
|
costel78
Guru
Joined: 20 Apr 2007
Posts: 407
|
| Posted: Wed May 03, 2017 4:25 am Post subject: |
|
|
Yes. And just su, too.
I do not understand. Why just in enlightenment or plain x11 session, why it is working on console ?
_________________
Sorry for my English. I'm still learning this language. |
|
| Back to top |
|
|
mega_flow
Tux's lil' helper
Joined: 26 Jun 2016
Posts: 97
Location: Belgium
|
| Posted: Wed May 03, 2017 4:37 am Post subject: |
|
|
no su problem on my system, sound like a xattr problem. I have seen this with kde-plasma
Ar u sure u have POSIX Access Control Lists enable for your filesystem
i also have user_xattr in fstab enable
if not using xattr, try to disable the use flag filecaps with the package sys-libs/pam |
|
| Back to top |
|
|
albright
Advocate
Joined: 16 Nov 2003
Posts: 2588
Location: Near Toronto
|
| Posted: Wed May 03, 2017 12:42 pm Post subject: |
|
|
just as another data point, I have no problem with su in xorg
(using kde plasma)
my problem is that vmware-modules won't build under 4.11.0
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme) |
|
| Back to top |
|
|
costel78
Guru
Joined: 20 Apr 2007
Posts: 407
|
| Posted: Wed May 03, 2017 8:07 pm Post subject: |
|
|
I also have xattr use flag enabled globally, and user_xattr in fstab on root partition.
Just tried today all four combinations, with/without user_xatrr/filecaps use flag, but all test with same results:
| Code: | mai 03 22:51:20 gentoo su[929]: - /dev/pts/0 costel:root
mai 03 22:51:20 gentoo su[929]: FAILED su for root by costel
mai 03 22:51:20 gentoo su[929]: pam_authenticate: Authentication failure
mai 03 22:51:19 gentoo su[929]: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=1000 tty=/dev/pts/0 ruser=costel rhost= user=root
mai 03 22:51:19 gentoo unix_chkpwd[933]: password check failed for user (root)
mai 03 22:51:19 gentoo unix_chkpwd[933]: check pass; user unknown
mai 03 22:51:13 gentoo unix_chkpwd[930]: check pass; user unknown |
Log from console (always successful, no mater what):
| Code: | mai 03 22:57:24 gentoo su[1224]: pam_unix(su:session): session closed for user root
mai 03 22:57:22 gentoo su[1224]: pam_systemd(su:session): Cannot create session: Already running in a session
mai 03 22:57:22 gentoo su[1224]: pam_unix(su:session): session opened for user root by costel(uid=1000)
mai 03 22:57:22 gentoo su[1224]: + /dev/tty1 costel:root
mai 03 22:57:22 gentoo su[1224]: Successful su for root by costel |
So, in console unix_chkpwd is not involved.
| Code: | ls -als /sbin/unix_chkpwd
24 -rws--x--x 1 root root 22392 mai 3 22:50 /sbin/unix_chkpwd |
Kernel config have systemd checked:
| Code: | #
# Gentoo Linux
#
CONFIG_GENTOO_LINUX=y
CONFIG_GENTOO_LINUX_UDEV=y
CONFIG_GENTOO_LINUX_PORTAGE=y
#
# Support for init systems, system and service managers
#
# CONFIG_GENTOO_LINUX_INIT_SCRIPT is not set
CONFIG_GENTOO_LINUX_INIT_SYSTEMD=y |
I have no idea what in kernel internals could make this.
I really appreciate all yours support. Thank you!
_________________
Sorry for my English. I'm still learning this language. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23109
|
| Posted: Thu May 04, 2017 1:14 am Post subject: |
|
|
| Is the setuid bit on /bin/su respected when you run su under your Xorg session? Check by running su, then switching to a different xterm and examining the process list before you type in any password in su. |
|
| Back to top |
|
|
costel78
Guru
Joined: 20 Apr 2007
Posts: 407
|
| Posted: Thu May 04, 2017 5:45 am Post subject: |
|
|
Yes, it seems that is respected.
| Code: | ps aux | grep su
root 298 0.0 0.0 13224 1976 ? Ss 07:59 0:00 /usr/sbin/mount.ntfs-3g /dev/sdb2 /mnt/date -o rw,noexec,nosuid,nodev,users
root 11974 0.0 0.0 25672 2856 pts/2 SN+ 08:36 0:00 su - root
costel 11979 0.0 0.0 10704 968 pts/1 SN+ 08:36 0:00 grep --colour=auto su |
_________________
Sorry for my English. I'm still learning this language. |
|
| Back to top |
|
|
costel78
Guru
Joined: 20 Apr 2007
Posts: 407
|
| Posted: Thu May 04, 2017 8:39 am Post subject: |
|
|
No error with kernel 4.10.14. Also just completed an emerge -e world. For now, 4.11.0 stay masked on my system.
_________________
Sorry for my English. I'm still learning this language. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54856
Location: 56N 3W
|
| Posted: Thu May 04, 2017 10:13 am Post subject: |
|
|
I know this isn't terribly useful
| Code: | roy@Pi3 64bit ~ $ sudo su -
Password:
Pi3 64bit ~ # uname -a
Linux Pi3 64bit 4.11.0 #2 SMP PREEMPT Tue May 2 22:06:22 BST 2017 aarch64 GNU/Linux
Pi3 64bit ~ # |
but it works for me.
That's over ssh
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
costel78
Guru
Joined: 20 Apr 2007
Posts: 407
|
| Posted: Thu May 04, 2017 11:51 am Post subject: |
|
|
Thank you, the intention matter.
That's the weird thing, no problem whatsoever in console, including ssh. Just in a X session and just with 4.11.0 kernel with the exactly same config as 4.10.13/14. 
For now I masked it and waiting for 4.11.1. I'll try with vanilla-sources, too.
_________________
Sorry for my English. I'm still learning this language. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54856
Location: 56N 3W
|
| Posted: Thu May 04, 2017 12:09 pm Post subject: |
|
|
costel78,
That's my only 4.11.0 install just now and its console doesn't work (its a Pi3 arm64 feature) so I can't easily test with Xfce4 or Mate right now.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Jaglover
Watchman
Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana
|
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3944
Location: Rasi, Finland
|
| Posted: Thu May 04, 2017 2:39 pm Post subject: |
|
|
*sigh*
I was just about to upgrade systemd on one of my PCs. I think I'll pass it too. Although I could just snapshot / before trying out... /boot in the other hand isn't on btrfs. I still take snapshots of it by rsyncing the contents to /var/backups.
Lately if I've had problems with PCs I use, the cause has been systemd or udev ignoring my rules. I'm getting tired of "learning" systemd.
So. I keep my system at 4.10 and don't upgrade systemd. Only after this has been resolved I'll continue. |
|
| Back to top |
|
|
saellaven
l33t
Joined: 23 Jul 2006
Posts: 655
|
| Posted: Thu May 04, 2017 4:47 pm Post subject: |
|
|
no problems here using openrc, but I'm also using vanilla-sources since I don't trust the gentoo-sources package.
Last edited by saellaven on Thu May 04, 2017 11:12 pm; edited 1 time in total |
|
| Back to top |
|
|
swanson
Tux's lil' helper
Joined: 04 Jun 2004
Posts: 149
Location: Edinburgh, Scotland
|
| Posted: Thu May 04, 2017 5:06 pm Post subject: |
|
|
I'm having the same problem since upgrading to usual self-configured/compiled Linux 4.11 on an openrc only (no systemd) computer. Booting back to Linux 4.9 resolves the issue. Confused as to why this would cause PAM authentication to fail under X11 but not under console. Nothing on the kernel mailing lists so it might be specific to the Gentoo PAM setup but I can't see anything wrong with the PAM configuration for su and system-auth.
Also, Linux 4.11 stops Enlightenment from providing shutdown or reboot option which will be probably the same issue. Still investigating...
_________________
Alan. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9895
Location: almost Mile High in the USA
|
| Posted: Thu May 04, 2017 6:02 pm Post subject: |
|
|
Inside xfce4-terminal
| Code: | fujiko:/$ systemctl --version
systemd 233
+PAM -AUDIT -SELINUX +IMA -APPARMOR +SMACK -SYSVINIT +UTMP -LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL -XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD -IDN default-hierarchy=hybrid
fujiko:/$ uname -r
4.11.0-gentoo
fujiko:/$ su
Password:
fujiko / # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
fujiko / # exit
exit
fujiko:/$
|
Works for me? I used a 4.9.16 .config and just copied it over.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23109
|
| Posted: Fri May 05, 2017 1:49 am Post subject: |
|
|
| Since we have conflicting data points (both openrc users and systemd users reporting failure, and both groups reporting success), it may be helpful to gather more details about the involved packages. eccerr0r showed us his systemd version. Would those posting mind showing also emerge --pretend --verbose sys-apps/shadow $(eix --installed --only-names pam) (and for other systemd users, your systemd version)? Reports seem to agree that this is a regression in 4.11, but perhaps knowing the versions of the user packages involved will help understand why this regression is not affecting everyone. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9895
Location: almost Mile High in the USA
|
| Posted: Fri May 05, 2017 3:01 am Post subject: |
|
|
| Code: | $ emerge --pretend --verbose sys-apps/shadow $(eix --installed --only-names pam)
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] sys-libs/pam-1.2.1::gentoo USE="berkdb cracklib nls pie -audit -debug -nis (-selinux) {-test} -vim-syntax" ABI_X86="32 (64) (-x32)" 0 KiB
[ebuild R ] sys-auth/pambase-20150213::gentoo USE="cracklib gnome-keyring nullok sha512 systemd (-consolekit) -debug -minimal -mktemp -pam_krb5 -pam_ssh -passwdqc -securetty (-selinux)" 0 KiB
[ebuild R ] virtual/pam-0-r1::gentoo ABI_X86="32 (64) (-x32)" 0 KiB
[ebuild R ] sys-apps/shadow-4.4-r2::gentoo USE="acl cracklib nls pam xattr -audit (-selinux) -skey" LINGUAS="-cs -da -de -es -fi -fr -hu -id -it -ja -ko -pl -pt_BR -ru -sv -tr -zh_CN -zh_TW" 0 KiB
Total: 4 packages (4 reinstalls), Size of downloads: 0 KiB
* IMPORTANT: 50 news items need reading for repository 'gentoo'.
* Use eselect news read to view new items.
|
Also we may have to possibly count x11 keymap input layer changes, unless you know exactly what you typed for a password. Throwing that out there just in case though it may be in the weeds...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
mega_flow
Tux's lil' helper
Joined: 26 Jun 2016
Posts: 97
Location: Belgium
|
| Posted: Fri May 05, 2017 4:32 am Post subject: |
|
|
I do have only libinput as INPUT_DEVICES
no error with passwords in sys-kernel/gentoo-sources-4.11.0
can u use sudo ? |
|
| Back to top |
|
|
costel78
Guru
Joined: 20 Apr 2007
Posts: 407
|
| Posted: Fri May 05, 2017 5:55 am Post subject: |
|
|
| Code: | emerge --pretend --verbose sys-apps/shadow $(eix --installed --only-names pam)
These are the packages that would be merged, in order:
Calculating dependencies ... done!
[ebuild R ] virtual/pam-0-r1::gentoo ABI_X86="32 (64) (-x32)" 0 KiB
[ebuild R ] sys-libs/pam-1.3.0::gentoo USE="cracklib filecaps nls pie -audit -berkdb -debug -nis (-selinux) {-test} -vim-syntax" ABI_X86="32 (64) (-x32)" 1.754 KiB
[ebuild R ] sys-auth/pambase-20150213::gentoo USE="cracklib nullok sha512 systemd (-consolekit) -debug -gnome-keyring -minimal -mktemp -pam_krb5 -pam_ssh -passwdqc -securetty (-selinux)" 4 KiB
[ebuild R ] sys-apps/shadow-4.4-r2::gentoo USE="acl cracklib nls pam xattr -audit (-selinux) -skey" LINGUAS="-cs -da -de -es -fi -fr -hu -id -it -ja -ko -pl -pt_BR -ru -sv -tr -zh_CN -zh_TW" 3.620 KiB
Total: 4 packages (4 reinstalls), Size of downloads: 5.377 KiB |
I am relieved that someone can confirm this strange bug. And it is seem to be something in enlightenment.
| Code: | emerge -pvO efl enlightenment
These are the packages that would be merged, in order:
[ebuild R ] dev-libs/efl-1.18.4::gentoo USE="X bmp drm eet egl fontconfig gif gles gstreamer harfbuzz ico libressl nls physics png postscript ppm psd pulseaudio sound ssl systemd tiff wayland -debug -doc -fbcon -fribidi -glib -gnutls -ibus -jpeg2k (-neon) -oldlua -opengl (-pixman) -raw -scim -sdl -tga -tslib -unwind -v4l -valgrind -webp -xim -xine -xpm" 63.096 KiB
[ebuild NS ] x11-wm/enlightenment-1.0.17:0::gentoo [0.21.7:0.17/0.21.7::gentoo] USE="dbus nls pango pulseaudio -doc -xcomposite -xinerama -xrandr" 2.361 KiB |
Vanilla-sources-4.11.0 show the same symptoms. I'll try with efl-1.19, maybe, maybe... 
Thank you all very much!
Oh, I forgot about systemd version: sys-apps/systemd-233-r1:0/2::gentoo
_________________
Sorry for my English. I'm still learning this language. |
|
| Back to top |
|
|
costel78
Guru
Joined: 20 Apr 2007
Posts: 407
|
| Posted: Fri May 05, 2017 7:30 am Post subject: |
|
|
No change with efl-1.19, but I installed xfce4-meta and when using it the problem disappear. 
So it's something in efl/enlightenment which kernel 4.11 trigger.
It still remain a unknown to me why xfvm/xterm (X11 plain session) is affected.
_________________
Sorry for my English. I'm still learning this language. |
|
| Back to top |
|
|
swanson
Tux's lil' helper
Joined: 04 Jun 2004
Posts: 149
Location: Edinburgh, Scotland
|
| Posted: Fri May 05, 2017 1:46 pm Post subject: |
|
|
So, it's only the Enlightenment window manager being affected. On the Enlightenment dev list the developers don't know either and to quote the main developers response to someone elses report of the issue from yesterday;
| Quote: | | but it's a kernel change that creates the issue. what - i don't know. ask your friendly neighbourhood kernel developer. the setuid root binaries are specifically erroring out unable to assume root privs where they could before. |
_________________
Alan. |
|
| Back to top |
|
|
costel78
Guru
Joined: 20 Apr 2007
Posts: 407
|
| Posted: Fri May 05, 2017 2:34 pm Post subject: |
|
|
Just tried with genkernel-next, brand new default kernel config, but it still refuse to work.
4.11 stay masked from now on. Waiting for 4.11.x.
_________________
Sorry for my English. I'm still learning this language. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9895
Location: almost Mile High in the USA
|
| Posted: Fri May 05, 2017 3:12 pm Post subject: |
|
|
Tried it under Gnome 3 (gnome-terminal 3.22.2) and it works as well.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
|
Kernel & Hardware
