[Mageia-discuss] beta2 woes and no graphical root (tonyb)

Fri Apr 13 17:11:54 CEST 2012

On 04/13/2012 09:33 AM, Oliver Burger wrote:
+> And as I did say in this thread. I don't see any action by our KDE 
+> team to this effect. Ok, I only scanned over the patches, but I read 
+> the changelog and I saw no sign of anyone patching KDM to ignore it.
+> So be annoyed with KDE upstream for this change, not with our KDE 
+> maintainers.
+>
+> Of course if someone does find a patch on our side, that does it, feel 
+> free to correct me.
+
+OK, just to be definitive, I activated KDM, set AllowRootLogin to true, 
+and tried and failed to login as root.  However, KDM may not be the 
+culprit.  From /var/log/auth.log:
+
+Here's me logging on as root from a tty to do "service dm restart" (I 
+was previously using GDM):
+
+Apr 13 10:13:18 localhost login: pam_tcb(login:auth): Authentication 
+passed for root from LOGIN(uid=0)
+Apr 13 10:13:18 localhost login: pam_tcb(login:session): Session opened 
+for root by root(uid=0)
+Apr 13 10:13:18 localhost login: ROOT LOGIN ON tty3
+Apr 13 10:13:23 localhost polkitd(authority=local): Unregistered 
+Authentication Agent for 
+unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name 
+:1.320, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, 
+locale en_US.UTF-8) (disconnected from bus)
+
+Now here's two attempts at graphical login as root, followed by a 
+successful one as ftg:
+
+Apr 13 10:13:38 localhost kdm: :0[22087]: pam_succeed_if(kdm:auth): 
+requirement "user ingroup nopasswdlogin" not met by user "root"
+Apr 13 10:13:38 localhost kdm: :0[22087]: pam_tcb(kdm:auth): 
+Authentication passed for root from (uid=0)
+Apr 13 10:13:47 localhost kdm: :0[22087]: pam_succeed_if(kdm:auth): 
+requirement "user ingroup nopasswdlogin" not met by user "root"
+Apr 13 10:13:47 localhost kdm: :0[22087]: pam_tcb(kdm:auth): 
+Authentication passed for root from (uid=0)
+Apr 13 10:13:58 localhost kdm: :0[22087]: pam_succeed_if(kdm:auth): 
+requirement "user ingroup nopasswdlogin" not met by user "ftg"
+Apr 13 10:13:58 localhost kdm: :0[22087]: pam_tcb(kdm:auth): 
+Authentication passed for ftg from (uid=0)
+Apr 13 10:13:58 localhost kdm: :0[22087]: pam_tcb(kdm:session): Session 
+opened for ftg by ftg(uid=0)
+
+Note that in the tty login for root and the graphical login for ftg, 
+there are pam_tcb(kdm:session) entries, while there are none for the 
+failed graphical root logins.
+
+It's still possible that this is being done by KDM, but googling turns 
+up nothing about AllowRootLogin being dropped by upstream.  On the 
+contrary, "true" is the default on OpenSUSE and you can find here:
+
+http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7007124&sliceId=1&docTypeID=DT_TID_1_1
+
+an open bug in the Novell bugtracker complaining that root login is 
+still possible even if you set AllowRootLogin to false, because some 
+SUSE-specific script sets it back to true.
+
+So, I don't think this was an upstream KDM change.  From the above, it's 
+probably something in pam, so let's look there:
+
+[root at ftgme2 ftg]# cat /etc/pam.d/kdm
+#%PAM-1.0
+auth       required    pam_env.so
+auth       required    pam_succeed_if.so user != root quiet
+auth       sufficient  pam_succeed_if.so user ingroup nopasswdlogin
+auth       substack    system-auth
+account    required    pam_nologin.so
+account    include     system-auth
+password   include     system-auth
+session    optional    pam_keyinit.so force revoke
+session    required    pam_loginuid.so
+session    include     system-auth
+session    optional    pam_console.so
+session    required    pam_namespace.so
+[root at ftgme2 ftg]#
+
+Well. well.  Turns out this file is owned by mageia-kde4-config-common.  
+And it also turns out that if you comment out that third line, graphical 
+root login works just fine.
+
+Looking in the changelog, one finds:
+
+         * Thu Sep 22 2011 mikala <mikala> 2-0.20110921.1.mga2
+         + Revision: 146549
+         - Use directory.trash to create the trash.desktop & remove SOURCE4
+         - Fix rpmlint warnings
+          - use dolphin as a temporary workaround for Home2.desktop
+         - Switch to oxygen instead of iaora for Default & Netbook 
+config file
+         - Add pam files for kdm,kcheckpass & kscreensaver in common 
+config file
+         - Update version to 2 (we're on Mageia 2)
+         - Add mgabutton as symlink for start-here-kde in the vanilla 
+theme to have the ?\194?\171 upstream ?\194?\187 icon since we're 
+patching kdebase4-workspace
+         - Fix Provides for common package
+         - Update tarball to fix default kdm & ksplash for vanilla flavour
+         - Use correct prefix for vanilla
+         - Follow luc menut suggestion for kde prefix use
+         - More progress on  vanilla flavour :
+          - move configurations files from common to Default/netbook flavors
+          - remove useless configuration files
+          - sync dolphinuirc with upstream
+          - fix alternatives for kde4-config & kdm-config vanilla flavour
+
+Unfortunately, this doesn't say which package owned the pam files before 
+that, so it's unclear whether they were changed before this.
+
+So the OP wasn't dreaming, this wasn't an upstream policy change, and it 
+was a deliberate decision on somebody's part here.  And now you know how 
+to disable it if you want.
+