Ubuntu
gksu package

Bug #15093
Comment #18

Comment 18 for bug 15093

Revision history for this message

Eddie Hung (eddieh) wrote on 2007-06-06:

#18

I am experiencing a similar bug: this time using pam_bioapi (to support fingerprint readers), version 0.4.0.
The problem I am having is that gksudo does not pop up to ask for a password once the fingerprint dialog is aborted, as it would be expected to do.
My common-auth is as follows:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/biodata.db :0

auth required pam_unix.so nullok_secure
gdm, and console-run sudo perform as expected - cancelling the fingerprint dialog and it will ask for a password. However, running gksudo from console results in:
# sudo -l
# gksudo gedit
<fingerprint dialog pops up - after exiting that>
GNOME_SUDO_PASS
at which point it echoes any characters I type at it (meaning that it's not asking for a password), including new line characters. The only way to abort this is to press Ctrl+C.
Note also that the screen is not blanked during the fingerprint dialog (separate bug?)
Running gksudo from a launcher has the same effect - but obviously no console output.
Does anyone know what GNOME_SUDO_PASS means? I've asked the google oracle, but that hasn't got me anywhere.
I can confirm that gksudo works perfectly well without the pam_bioapi line, and it also works if I make it ask for the password first, by changing common-auth to:
auth sufficient pam_unix.so nullok_secure

auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/biodata.db :0

auth required pam_deny.so
gksudo does blank the screen and the password dialog appears, and pressing enter results in it unblanking and the fingerprint dialog appearing - this is my current solution, but far from ideal as I would like the password to back the fingerprinting.
It is also worth mentioning that this is also the case with pam_thinkfinger (an alternative fingerprinting "driver") which does not implement a separate fingerprinting dialog - gksudo does not appear at all, and after a successful fingerprint read gksudo does not exit - and a killall is required to bring the authenticating application up - though this also may be a error with pam_thinkfinger (version tested: 0.3.0).
All in all, I think we can conclude that gksudo (which from what I understand, is simply a wrapper for the console based sudo) does not support external pam modules very well?

I am experiencing a similar bug: this time using pam_bioapi (to support fingerprint readers), version 0.4.0.
The problem I am having is that gksudo does not pop up to ask for a password once the fingerprint dialog is aborted, as it would be expected to do.
My common-auth is as follows:
auth	sufficient	pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/biodata.db :0

auth       required     pam_unix.so nullok_secure
gdm, and console-run sudo perform as expected - cancelling the fingerprint dialog and it will ask for a password. However, running gksudo from console results in:
# sudo -l
# gksudo gedit
<fingerprint dialog pops up - after exiting that>
GNOME_SUDO_PASS
at which point it echoes any characters I type at it (meaning that it's not asking for a password), including new line characters. The only way to abort this is to press Ctrl+C.
Note also that the screen is not blanked during the fingerprint dialog (separate bug?)
Running gksudo from a launcher has the same effect - but obviously no console output.
Does anyone know what GNOME_SUDO_PASS means? I've asked the google oracle, but that hasn't got me anywhere. 
I can confirm that gksudo works perfectly well without the pam_bioapi line, and it also works if I make it ask for the password first, by changing common-auth to:
auth	sufficient	pam_unix.so nullok_secure

auth	sufficient	pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/biodata.db :0

auth	required	pam_deny.so
gksudo does blank the screen and the password dialog appears, and pressing enter results in it unblanking and the fingerprint dialog appearing - this is my current solution, but far from ideal as I would like the password to back the fingerprinting.
It is also worth mentioning that this is also the case with pam_thinkfinger (an alternative fingerprinting "driver") which does not implement a separate fingerprinting dialog - gksudo does not appear at all, and after a successful fingerprint read gksudo does not exit - and a killall is required to bring the authenticating application up - though this also may be a error with pam_thinkfinger (version tested: 0.3.0).
All in all, I think we can conclude that gksudo (which from what I understand, is simply a wrapper for the console based sudo) does not support external pam modules very well?

Ubuntugksu package

Comment 18 for bug 15093

Ubuntu
gksu package