Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] gentoo-sources 4.11.0 su does not work anymore
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 301

PostPosted: Tue May 02, 2017 8:19 pm    Post subject: [SOLVED] gentoo-sources 4.11.0 su does not work anymore Reply with quote

Today I updated my system to sys-kernel/gentoo-sources-4.11.0 and su stoped working on xorg.
Of course I am in the wheel group and password is correct. In fact, in console, su - root work flawless.
I reemerged shadow, pam.
Code:
ls -als /bin/su
36 -rws--x--x 1 root root 36152 mai  2 23:12 /bin/su

Code:
cat /etc/pam.d/su
auth       sufficient   pam_rootok.so
auth       required     pam_wheel.so use_uid
auth       include              system-auth
account    include              system-auth
password   include              system-auth
session    include              system-auth
session    required     pam_env.so
session    optional             pam_xauth.so

I taken a look at demerge and there were rubygems php iproute2 and gentoo-sources for today.
I downgraded gentoo-sources and problem dissapear.

I need to start investigating problem. The problem is reproductible on one server with a very different kernel config.

Oh, in journalctl the error is "check pass; user unknown"
_________________
Sorry for my English. I'm still learning this language.


Last edited by costel78 on Thu Jun 15, 2017 1:59 pm; edited 1 time in total
Back to top
View user's profile Send private message
Zucca
l33t
l33t


Joined: 14 Jun 2007
Posts: 800
Location: KUUSANKOSKI, Finland

PostPosted: Tue May 02, 2017 10:30 pm    Post subject: Reply with quote

Hm...
Interesting.
I'll then hold my upgrades.
Have you tried
sh:
su root
...?
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 301

PostPosted: Wed May 03, 2017 4:25 am    Post subject: Reply with quote

Yes. And just su, too.
I do not understand. Why just in enlightenment or plain x11 session, why it is working on console ?
_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
mega_flow
n00b
n00b


Joined: 26 Jun 2016
Posts: 10

PostPosted: Wed May 03, 2017 4:37 am    Post subject: Reply with quote

no su problem on my system, sound like a xattr problem. I have seen this with kde-plasma
Ar u sure u have POSIX Access Control Lists enable for your filesystem
i also have user_xattr in fstab enable

if not using xattr, try to disable the use flag filecaps with the package sys-libs/pam
Back to top
View user's profile Send private message
albright
Advocate
Advocate


Joined: 16 Nov 2003
Posts: 2411
Location: Near Toronto

PostPosted: Wed May 03, 2017 12:42 pm    Post subject: Reply with quote

just as another data point, I have no problem with su in xorg
(using kde plasma)

my problem is that vmware-modules won't build under 4.11.0
_________________
.... there is nothing - absolutely nothing - half so much worth
doing as simply messing about with Linux ...
(apologies to Kenneth Graeme)
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 301

PostPosted: Wed May 03, 2017 8:07 pm    Post subject: Reply with quote

I also have xattr use flag enabled globally, and user_xattr in fstab on root partition.
Just tried today all four combinations, with/without user_xatrr/filecaps use flag, but all test with same results:

Code:
mai 03 22:51:20 gentoo su[929]: - /dev/pts/0 costel:root
mai 03 22:51:20 gentoo su[929]: FAILED su for root by costel
mai 03 22:51:20 gentoo su[929]: pam_authenticate: Authentication failure
mai 03 22:51:19 gentoo su[929]: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=1000 tty=/dev/pts/0 ruser=costel rhost=  user=root
mai 03 22:51:19 gentoo unix_chkpwd[933]: password check failed for user (root)
mai 03 22:51:19 gentoo unix_chkpwd[933]: check pass; user unknown
mai 03 22:51:13 gentoo unix_chkpwd[930]: check pass; user unknown


Log from console (always successful, no mater what):
Code:
mai 03 22:57:24 gentoo su[1224]: pam_unix(su:session): session closed for user root
mai 03 22:57:22 gentoo su[1224]: pam_systemd(su:session): Cannot create session: Already running in a session
mai 03 22:57:22 gentoo su[1224]: pam_unix(su:session): session opened for user root by costel(uid=1000)
mai 03 22:57:22 gentoo su[1224]: + /dev/tty1 costel:root
mai 03 22:57:22 gentoo su[1224]: Successful su for root by costel


So, in console unix_chkpwd is not involved.
Code:
ls -als /sbin/unix_chkpwd
24 -rws--x--x 1 root root 22392 mai  3 22:50 /sbin/unix_chkpwd


Kernel config have systemd checked:
Code:
#
# Gentoo Linux
#
CONFIG_GENTOO_LINUX=y
CONFIG_GENTOO_LINUX_UDEV=y
CONFIG_GENTOO_LINUX_PORTAGE=y

#
# Support for init systems, system and service managers
#
# CONFIG_GENTOO_LINUX_INIT_SCRIPT is not set
CONFIG_GENTOO_LINUX_INIT_SYSTEMD=y


I have no idea what in kernel internals could make this.
I really appreciate all yours support. Thank you!
_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 10792

PostPosted: Thu May 04, 2017 1:14 am    Post subject: Reply with quote

Is the setuid bit on /bin/su respected when you run su under your Xorg session? Check by running su, then switching to a different xterm and examining the process list before you type in any password in su.
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 301

PostPosted: Thu May 04, 2017 5:45 am    Post subject: Reply with quote

Yes, it seems that is respected.
Code:
ps aux | grep su
root       298  0.0  0.0  13224  1976 ?        Ss   07:59   0:00 /usr/sbin/mount.ntfs-3g /dev/sdb2 /mnt/date -o rw,noexec,nosuid,nodev,users
root     11974  0.0  0.0  25672  2856 pts/2    SN+  08:36   0:00 su - root
costel   11979  0.0  0.0  10704   968 pts/1    SN+  08:36   0:00 grep --colour=auto su

_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 301

PostPosted: Thu May 04, 2017 8:39 am    Post subject: Reply with quote

No error with kernel 4.10.14. Also just completed an emerge -e world. For now, 4.11.0 stay masked on my system.
_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 38196
Location: 56N 3W

PostPosted: Thu May 04, 2017 10:13 am    Post subject: Reply with quote

I know this isn't terribly useful

Code:
roy@Pi3 64bit ~ $ sudo su -
Password:

Pi3 64bit ~ # uname -a
Linux Pi3 64bit 4.11.0 #2 SMP PREEMPT Tue May 2 22:06:22 BST 2017 aarch64 GNU/Linux
Pi3 64bit ~ #
but it works for me.
That's over ssh
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 301

PostPosted: Thu May 04, 2017 11:51 am    Post subject: Reply with quote

Thank you, the intention matter.
That's the weird thing, no problem whatsoever in console, including ssh. Just in a X session and just with 4.11.0 kernel with the exactly same config as 4.10.13/14. :?
For now I masked it and waiting for 4.11.1. I'll try with vanilla-sources, too.
_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 38196
Location: 56N 3W

PostPosted: Thu May 04, 2017 12:09 pm    Post subject: Reply with quote

costel78,

That's my only 4.11.0 install just now and its console doesn't work (its a Pi3 arm64 feature) so I can't easily test with Xfce4 or Mate right now.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 5651
Location: Saint Amant, Acadiana

PostPosted: Thu May 04, 2017 12:50 pm    Post subject: Reply with quote

costel78 is using systemd. My openrc boxes do not exhibit such a problem with 4.11.
_________________
Please learn how to denote units correctly!

Political Correctness is all about replacing imaginary injustice with real injustice.
Back to top
View user's profile Send private message
Zucca
l33t
l33t


Joined: 14 Jun 2007
Posts: 800
Location: KUUSANKOSKI, Finland

PostPosted: Thu May 04, 2017 2:39 pm    Post subject: Reply with quote

*sigh*

I was just about to upgrade systemd on one of my PCs. I think I'll pass it too. Although I could just snapshot / before trying out... /boot in the other hand isn't on btrfs. I still take snapshots of it by rsyncing the contents to /var/backups.

Lately if I've had problems with PCs I use, the cause has been systemd or udev ignoring my rules. I'm getting tired of "learning" systemd.

So. I keep my system at 4.10 and don't upgrade systemd. Only after this has been resolved I'll continue.
Back to top
View user's profile Send private message
saellaven
Guru
Guru


Joined: 23 Jul 2006
Posts: 459

PostPosted: Thu May 04, 2017 4:47 pm    Post subject: Reply with quote

no problems here using openrc, but I'm also using vanilla-sources since I don't trust the gentoo-sources package.

Last edited by saellaven on Thu May 04, 2017 11:12 pm; edited 1 time in total
Back to top
View user's profile Send private message
swanson
Tux's lil' helper
Tux's lil' helper


Joined: 04 Jun 2004
Posts: 116
Location: Edinburgh, Scotland

PostPosted: Thu May 04, 2017 5:06 pm    Post subject: Reply with quote

I'm having the same problem since upgrading to usual self-configured/compiled Linux 4.11 on an openrc only (no systemd) computer. Booting back to Linux 4.9 resolves the issue. Confused as to why this would cause PAM authentication to fail under X11 but not under console. Nothing on the kernel mailing lists so it might be specific to the Gentoo PAM setup but I can't see anything wrong with the PAM configuration for su and system-auth.

Also, Linux 4.11 stops Enlightenment from providing shutdown or reboot option which will be probably the same issue. Still investigating...
_________________
Alan.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 5790
Location: almost Mile High in the USA

PostPosted: Thu May 04, 2017 6:02 pm    Post subject: Reply with quote

Inside xfce4-terminal
Code:
fujiko:/$ systemctl --version
systemd 233
+PAM -AUDIT -SELINUX +IMA -APPARMOR +SMACK -SYSVINIT +UTMP -LIBCRYPTSETUP +GCRYPT -GNUTLS +ACL -XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD -IDN default-hierarchy=hybrid
fujiko:/$ uname -r
4.11.0-gentoo
fujiko:/$ su
Password:
fujiko / # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
fujiko / # exit
exit
fujiko:/$

Works for me? I used a 4.9.16 .config and just copied it over.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 10792

PostPosted: Fri May 05, 2017 1:49 am    Post subject: Reply with quote

Since we have conflicting data points (both openrc users and systemd users reporting failure, and both groups reporting success), it may be helpful to gather more details about the involved packages. eccerr0r showed us his systemd version. Would those posting mind showing also emerge --pretend --verbose sys-apps/shadow $(eix --installed --only-names pam) (and for other systemd users, your systemd version)? Reports seem to agree that this is a regression in 4.11, but perhaps knowing the versions of the user packages involved will help understand why this regression is not affecting everyone.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 5790
Location: almost Mile High in the USA

PostPosted: Fri May 05, 2017 3:01 am    Post subject: Reply with quote

Code:
$ emerge --pretend --verbose sys-apps/shadow $(eix --installed --only-names pam)

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sys-libs/pam-1.2.1::gentoo  USE="berkdb cracklib nls pie -audit -debug -nis (-selinux) {-test} -vim-syntax" ABI_X86="32 (64) (-x32)" 0 KiB
[ebuild   R    ] sys-auth/pambase-20150213::gentoo  USE="cracklib gnome-keyring nullok sha512 systemd (-consolekit) -debug -minimal -mktemp -pam_krb5 -pam_ssh -passwdqc -securetty (-selinux)" 0 KiB
[ebuild   R    ] virtual/pam-0-r1::gentoo  ABI_X86="32 (64) (-x32)" 0 KiB
[ebuild   R    ] sys-apps/shadow-4.4-r2::gentoo  USE="acl cracklib nls pam xattr -audit (-selinux) -skey" LINGUAS="-cs -da -de -es -fi -fr -hu -id -it -ja -ko -pl -pt_BR -ru -sv -tr -zh_CN -zh_TW" 0 KiB

Total: 4 packages (4 reinstalls), Size of downloads: 0 KiB

 * IMPORTANT: 50 news items need reading for repository 'gentoo'.
 * Use eselect news read to view new items.


Also we may have to possibly count x11 keymap input layer changes, unless you know exactly what you typed for a password. Throwing that out there just in case though it may be in the weeds...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
mega_flow
n00b
n00b


Joined: 26 Jun 2016
Posts: 10

PostPosted: Fri May 05, 2017 4:32 am    Post subject: Reply with quote

I do have only libinput as INPUT_DEVICES
no error with passwords in sys-kernel/gentoo-sources-4.11.0

can u use sudo ?
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 301

PostPosted: Fri May 05, 2017 5:55 am    Post subject: Reply with quote

Code:
emerge --pretend --verbose sys-apps/shadow $(eix --installed --only-names pam)

These are the packages that would be merged, in order:

Calculating dependencies                      ... done!
[ebuild   R    ] virtual/pam-0-r1::gentoo  ABI_X86="32 (64) (-x32)" 0 KiB
[ebuild   R    ] sys-libs/pam-1.3.0::gentoo  USE="cracklib filecaps nls pie -audit -berkdb -debug -nis (-selinux) {-test} -vim-syntax" ABI_X86="32 (64) (-x32)" 1.754 KiB
[ebuild   R    ] sys-auth/pambase-20150213::gentoo  USE="cracklib nullok sha512 systemd (-consolekit) -debug -gnome-keyring -minimal -mktemp -pam_krb5 -pam_ssh -passwdqc -securetty (-selinux)" 4 KiB
[ebuild   R    ] sys-apps/shadow-4.4-r2::gentoo  USE="acl cracklib nls pam xattr -audit (-selinux) -skey" LINGUAS="-cs -da -de -es -fi -fr -hu -id -it -ja -ko -pl -pt_BR -ru -sv -tr -zh_CN -zh_TW" 3.620 KiB

Total: 4 packages (4 reinstalls), Size of downloads: 5.377 KiB


I am relieved that someone can confirm this strange bug. And it is seem to be something in enlightenment.
Code:
emerge -pvO efl enlightenment

These are the packages that would be merged, in order:

[ebuild   R    ] dev-libs/efl-1.18.4::gentoo  USE="X bmp drm eet egl fontconfig gif gles gstreamer harfbuzz ico libressl nls physics png postscript ppm psd pulseaudio sound ssl systemd tiff wayland -debug -doc -fbcon -fribidi -glib -gnutls -ibus -jpeg2k (-neon) -oldlua -opengl (-pixman) -raw -scim -sdl -tga -tslib -unwind -v4l -valgrind -webp -xim -xine -xpm" 63.096 KiB
[ebuild  NS    ] x11-wm/enlightenment-1.0.17:0::gentoo [0.21.7:0.17/0.21.7::gentoo] USE="dbus nls pango pulseaudio -doc -xcomposite -xinerama -xrandr" 2.361 KiB


Vanilla-sources-4.11.0 show the same symptoms. I'll try with efl-1.19, maybe, maybe... :)

Thank you all very much!

Oh, I forgot about systemd version: sys-apps/systemd-233-r1:0/2::gentoo
_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 301

PostPosted: Fri May 05, 2017 7:30 am    Post subject: Reply with quote

No change with efl-1.19, but I installed xfce4-meta and when using it the problem disappear. :D
So it's something in efl/enlightenment which kernel 4.11 trigger.
It still remain a unknown to me why xfvm/xterm (X11 plain session) is affected.
_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
swanson
Tux's lil' helper
Tux's lil' helper


Joined: 04 Jun 2004
Posts: 116
Location: Edinburgh, Scotland

PostPosted: Fri May 05, 2017 1:46 pm    Post subject: Reply with quote

So, it's only the Enlightenment window manager being affected. On the Enlightenment dev list the developers don't know either and to quote the main developers response to someone elses report of the issue from yesterday;

Quote:
but it's a kernel change that creates the issue. what - i don't know. ask your friendly neighbourhood kernel developer. the setuid root binaries are specifically erroring out unable to assume root privs where they could before.

_________________
Alan.
Back to top
View user's profile Send private message
costel78
Guru
Guru


Joined: 20 Apr 2007
Posts: 301

PostPosted: Fri May 05, 2017 2:34 pm    Post subject: Reply with quote

Just tried with genkernel-next, brand new default kernel config, but it still refuse to work.
4.11 stay masked from now on. Waiting for 4.11.x.
_________________
Sorry for my English. I'm still learning this language.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 5790
Location: almost Mile High in the USA

PostPosted: Fri May 05, 2017 3:12 pm    Post subject: Reply with quote

Tried it under Gnome 3 (gnome-terminal 3.22.2) and it works as well.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum