1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-discuss] beta2 woes and no graphical root (tonyb)
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20beta2%20woes%20and%20no%20graphical%20root%20%28tonyb%29&In-Reply-To=%3C4F88423A.4030003%40roadrunner.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="007015.html">
<LINK REL="Next" HREF="007018.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-discuss] beta2 woes and no graphical root (tonyb)</H1>
<B>Frank Griffin</B>
<A HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20beta2%20woes%20and%20no%20graphical%20root%20%28tonyb%29&In-Reply-To=%3C4F88423A.4030003%40roadrunner.com%3E"
TITLE="[Mageia-discuss] beta2 woes and no graphical root (tonyb)">ftg at roadrunner.com
</A><BR>
<I>Fri Apr 13 17:11:54 CEST 2012</I>
<P><UL>
<LI>Previous message: <A HREF="007015.html">[Mageia-discuss] beta2 woes and no graphical root (tonyb)
</A></li>
<LI>Next message: <A HREF="007018.html">[Mageia-discuss] Handbooks - the lot
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#7017">[ date ]</a>
<a href="thread.html#7017">[ thread ]</a>
<a href="subject.html#7017">[ subject ]</a>
<a href="author.html#7017">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On 04/13/2012 09:33 AM, Oliver Burger wrote:
><i> And as I did say in this thread. I don't see any action by our KDE
</I>><i> team to this effect. Ok, I only scanned over the patches, but I read
</I>><i> the changelog and I saw no sign of anyone patching KDM to ignore it.
</I>><i> So be annoyed with KDE upstream for this change, not with our KDE
</I>><i> maintainers.
</I>><i>
</I>><i> Of course if someone does find a patch on our side, that does it, feel
</I>><i> free to correct me.
</I>
OK, just to be definitive, I activated KDM, set AllowRootLogin to true,
and tried and failed to login as root. However, KDM may not be the
culprit. From /var/log/auth.log:
Here's me logging on as root from a tty to do "service dm restart" (I
was previously using GDM):
Apr 13 10:13:18 localhost login: pam_tcb(login:auth): Authentication
passed for root from LOGIN(uid=0)
Apr 13 10:13:18 localhost login: pam_tcb(login:session): Session opened
for root by root(uid=0)
Apr 13 10:13:18 localhost login: ROOT LOGIN ON tty3
Apr 13 10:13:23 localhost polkitd(authority=local): Unregistered
Authentication Agent for
unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name
:<i>1.320, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
</I>locale en_US.UTF-8) (disconnected from bus)
Now here's two attempts at graphical login as root, followed by a
successful one as ftg:
Apr 13 10:13:38 localhost kdm: :0[22087]: pam_succeed_if(kdm:auth):
requirement "user ingroup nopasswdlogin" not met by user "root"
Apr 13 10:13:38 localhost kdm: :0[22087]: pam_tcb(kdm:auth):
Authentication passed for root from (uid=0)
Apr 13 10:13:47 localhost kdm: :0[22087]: pam_succeed_if(kdm:auth):
requirement "user ingroup nopasswdlogin" not met by user "root"
Apr 13 10:13:47 localhost kdm: :0[22087]: pam_tcb(kdm:auth):
Authentication passed for root from (uid=0)
Apr 13 10:13:58 localhost kdm: :0[22087]: pam_succeed_if(kdm:auth):
requirement "user ingroup nopasswdlogin" not met by user "ftg"
Apr 13 10:13:58 localhost kdm: :0[22087]: pam_tcb(kdm:auth):
Authentication passed for ftg from (uid=0)
Apr 13 10:13:58 localhost kdm: :0[22087]: pam_tcb(kdm:session): Session
opened for ftg by ftg(uid=0)
Note that in the tty login for root and the graphical login for ftg,
there are pam_tcb(kdm:session) entries, while there are none for the
failed graphical root logins.
It's still possible that this is being done by KDM, but googling turns
up nothing about AllowRootLogin being dropped by upstream. On the
contrary, "true" is the default on OpenSUSE and you can find here:
<A HREF="http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7007124&sliceId=1&docTypeID=DT_TID_1_1">http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7007124&sliceId=1&docTypeID=DT_TID_1_1</A>
an open bug in the Novell bugtracker complaining that root login is
still possible even if you set AllowRootLogin to false, because some
SUSE-specific script sets it back to true.
So, I don't think this was an upstream KDM change. From the above, it's
probably something in pam, so let's look there:
[<A HREF="https://www.mageia.org/mailman/listinfo/mageia-discuss">root at ftgme2</A> ftg]# cat /etc/pam.d/kdm
#%PAM-1.0
auth required pam_env.so
auth required pam_succeed_if.so user != root quiet
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
auth substack system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session required pam_loginuid.so
session include system-auth
session optional pam_console.so
session required pam_namespace.so
[<A HREF="https://www.mageia.org/mailman/listinfo/mageia-discuss">root at ftgme2</A> ftg]#
Well. well. Turns out this file is owned by mageia-kde4-config-common.
And it also turns out that if you comment out that third line, graphical
root login works just fine.
Looking in the changelog, one finds:
* Thu Sep 22 2011 mikala <mikala> 2-0.20110921.1.mga2
+ Revision: 146549
- Use directory.trash to create the trash.desktop & remove SOURCE4
- Fix rpmlint warnings
- use dolphin as a temporary workaround for Home2.desktop
- Switch to oxygen instead of iaora for Default & Netbook
config file
- Add pam files for kdm,kcheckpass & kscreensaver in common
config file
- Update version to 2 (we're on Mageia 2)
- Add mgabutton as symlink for start-here-kde in the vanilla
theme to have the ?\194?\171 upstream ?\194?\187 icon since we're
patching kdebase4-workspace
- Fix Provides for common package
- Update tarball to fix default kdm & ksplash for vanilla flavour
- Use correct prefix for vanilla
- Follow luc menut suggestion for kde prefix use
- More progress on vanilla flavour :
- move configurations files from common to Default/netbook flavors
- remove useless configuration files
- sync dolphinuirc with upstream
- fix alternatives for kde4-config & kdm-config vanilla flavour
Unfortunately, this doesn't say which package owned the pam files before
that, so it's unclear whether they were changed before this.
So the OP wasn't dreaming, this wasn't an upstream policy change, and it
was a deliberate decision on somebody's part here. And now you know how
to disable it if you want.
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="007015.html">[Mageia-discuss] beta2 woes and no graphical root (tonyb)
</A></li>
<LI>Next message: <A HREF="007018.html">[Mageia-discuss] Handbooks - the lot
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#7017">[ date ]</a>
<a href="thread.html#7017">[ thread ]</a>
<a href="subject.html#7017">[ subject ]</a>
<a href="author.html#7017">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-discuss">More information about the Mageia-discuss
mailing list</a><br>
</body></html>
|
