Ubuntu
gksu package

  1. Bug #15093
  2. Comment #26

Comment 26 for bug 15093

Revision history for this message
Eddie Hung (eddieh) wrote :

I don't think this is a bug with sudo - it's a bug inherently inside gksu(do).

As you may know, gksudo is simply a wrapper inside gksudo. It executes sudo with a -p parameter, asking it to override the default password prompt with the supplied argument.

In gksudo's case, it asks sudo to override the prompt with the string "GNOME_SUDO_PASS". If then checks to see if sudo says this - and if it does, then it knows that sudo is expecting a password, and grabs the screen and shows the dialog.

However, if it doesn't see this (for example, if thinkfinger prints "Password or swipe finger", of if pam_bioapi displays the driver GUI and displays nothing on the console), then it assumes that no password is necessary - and simply sits there waiting until sudo exits.

But in most cases, this never happens: if the fingerprint has failed, then most users will have opted to fall back onto password - in which case sudo will be waiting for a password that will never have the opportunity to be input.

The current workarounds work because:
a. sudo only overrides the prompt if it receives "Password:" from the password module - in which case changing pam_thinkfinger to output "Password:" (instead of its current "Password or swipe finger:" prompt) will cause it's prompt to get overridden to GNOME_SUDO_PASS, and so gksudo will show itself.
b. With the suggested patches - sudo overrides the prompt to say whatever is requested, regardless of what the module is saying.

Neither is the ideal behaviour - either a complete rewrite of gksudo (more specifically, libgksu is where this code is written) is required (i.e. make gksudo something more than a wrapper around a console-based sudo), or a better method of waiting for GNOME_SUDO_PASS should be implemented - currently I believe it reads the first 50 lines from sudo (whether sudo has displayed 50 lines or not), and if none of them say GNOME_SUDO_PASS, then it gives up and just assumes that no password is necessary, and waits until sudo exits. I'm thinking it should only read the line if it exists - because GNOME_SUDO_PASS eventually turns up once all the preceding PAM modules have finished. This can be verified by running gksudo in debug mode, and looking at the libgksu source.

Any other thoughts? I'm currently looking into modifying libgksu.

P.S. Sorry for such a long post!