modifying PAM configuration could break gksu

Bug #86843 reported by Lionel Dricot
74
This bug affects 6 people
Affects Status Importance Assigned to Milestone
GKSu
Unknown
Unknown
gksu (Ubuntu)
Confirmed
Medium
Unassigned
Nominated for Karmic by jedioetzi

Bug Description

Binary package hint: gksu

If you modify PAM configuration to act differently, gksu could become unusable.

For example, see https://wiki.ubuntu.com/ThinkFinger that modify PAM to take care of a fingerprint reader.

(in /etc/pam.d/auth-common)
auth sufficient pam_thinkfinger.so
auth required pam_unix.so try_first_pass nullok_secure

With this configuration, Login in console, GDM and su will work perfectly and ask you either for your password or your fingerprint.

Unfortunatly, gksu will become "invisible". In fact, the sentence "enter your password or swipe your finger" will appear in the console from which you are launching gksu. As, most of the time, you are not launching gksu from a console but from an icon, you will see nothing and your application will not start. Anyway, it is still working because if you know it and swipe your finger, your application will eventually appear. So gksu is still listenning. It is just "invisible".

Revision history for this message
Eyal Oren (ikbeneyal) wrote :

I can confirm this.

dpkg -l gksu
ii gksu 1.9.3-1ubuntu2

Changed in gksu:
status: Unconfirmed → Confirmed
Changed in gksu:
importance: Undecided → Medium
Revision history for this message
Mark Reitblatt (mark-reitblatt) wrote :

Upstream bug: http://savannah.nongnu.org/bugs/?19132
Unfortunately, Launchpad doesn't yet support Savannah.

Revision history for this message
nclm (nclm) wrote :

I can confirm this too. But starting a application which starts gksu such as synaptic will prompt up gksu and ask you for the password

Revision history for this message
nclm (nclm) wrote :

starting a application twice!! ... sorry for that

Revision history for this message
Håvard H. Garnes (hhgarnes) wrote :

On my installation of Feisty, gksu is unusable as well as invisible, e.g. if I scan my finger when invisible, things won't start at all. In fact I have to do "killall gksu" for things to happen, and if I then try again to start things, I either get a password-prompt (not with "or scan your finger" - this typically happens when I run the update-managet) or things start fine (if I run gksu from a console)

Revision history for this message
Jérôme Guelfucci (jerome-guelfucci-deactivatedaccount) wrote :

Bug #52018 might be a duplicate of this bug.

Revision history for this message
Eddie Hung (eddieh) wrote :

I am also experiencing this bug. I have a IBM Thinkpad X41, and running the latest version of Feisty, clean installed, and using thinkfinger, following the guide on the Ubuntu wiki.

Logging in via gdm works fine.
sudo from a terminal works fine.
gksudo does not appear - and even after swiping a finger, the application does not appear.
A "killall gksu" is required in order to execute the application. If this is not done, then further sudo-s and gksudo-s will function as they did without fingerprinting - ie. sudo will not ask for a fingerprint, and gksudo will appear and ask for a password, as it did before.
If gksudo was run from the console, then a Ctrl+C will do the same job. The fingerprint is correctly verified though, as killing gksu without a valid fingerprint will not launch the application.

Does anyone know where this bug lies? With gksudo (and it's implementation?) I have googled a fair bit for this - and collected many opinions. One is that gksu/gksudo does not have permission to grab the screen because it is being executed by pam_thinkfinger which is being run as root. Does anyone know if this bug applies to any other distros, or is it specific to Ubuntu too?

Revision history for this message
Eddie Hung (eddieh) wrote :

I would also like to add that I've been trying with the bioapi implementation - with the UBEK binary driver and pam_bioapi - which seems to be slightly more successful.
The UBEK binary driver implements a (ugly, but functional) fingerprint dialog (rather than relying on the user application to say "Password or swipe finger") - and it is my belief that it is a userspace implementation rather than one requiring root permissions. With this, a dialog does appear, which after a successful authentication, gksudo will exit as normal and the application requested will be executed - unlike with pam_thinkfinger currently.
Regarding this bug, it might be worth pointing out the similarity between this and: https://bugs.launchpad.net/bugs/15093, where I have written a length post regarding the problems I am experiencing with pam_bioapi, should you be interested.

Revision history for this message
uzahnd (uzahnd) wrote :

This problem can be solved by changing the password prompt in /pam/pam_thinkfinger.c from "Password or swipe finger: " to a simple "Password:" (Tested on Ubuntu feisy with thinkfinger0.3).

Revision history for this message
Eddie Hung (eddieh) wrote :

The underlying problem is still with sudo/gksu - it should be able to take into account prompts other than "Password:"!

Revision history for this message
Nick Andrik (andrikos) wrote :

One idea is that every program is free to set its prompt for the terminal (e.g. Password or swipe your finger: ) but use the traditional "Password: " elsewhere (e.g. for graphical environment).
You can find a patch for the pam_thinkfinger.c attached.

Revision history for this message
Eddie Hung (eddieh) wrote :

That's a nice and simple patch - however, the fact remains that the whole implementation of gksu is flawed: it is a wrapper around sudo, under the assumption that sudo does not use any other PAM but the default. For example, gdm correctly shows "Password or swipe finger" - as gksudo should. This patch only fixes pam_thinkfinger, and if you are using pam_bioapi, which does something a little differently (it only implements the fingerprinting - it does not accept a password - I've set it up so that if fingerprint fails then sudo falls back onto the normal password prompt) - then a patch of this type would not work.

I have wrote what I think in a similar bug: https://bugs.launchpad.net/bugs/15093. I sent an e-mail to the Ubuntu guy assigned to this bug, with my thoughts and an offer of help, but I have not yet received a reply which has put me pursuing a more long term, permanent fix.

Revision history for this message
Andy Hopper (andy-hoppersoft) wrote :

I can confirm this fails under Gutsy as well when using pam_winbind.

Revision history for this message
Wladston Viana (wladston) wrote :

I'm just commenting to raise the importance of the bug (instead of reporting a duplicate). Let's hope it gets fixed soon.

Revision history for this message
AndrewC (konig12) wrote :

I am experiencing the problem as well. Hopefully a fix can be found for this, because the fingerprint functionality is quite useful, and this is a major annoyance.

Revision history for this message
Anders Rune Jensen (anders-gnulinux) wrote :

+1

Revision history for this message
Maximinus (max-thrax) wrote :

I've been wanting a solution for this for some time, since it would be nice to be able to not only log in by swiping my finger, but get to the network management dialog with it - since I use my laptop at home and at work, needing to change network profiles between the two.

I've just been looking through the bug on sudo (http://www.sudo.ws/bugs/show_bug.cgi?id=180) and noticed that "Sudo 1.6.9p9 now localizes 'Password: ' before checking against the PAM prompt. Furthermore, a new sudoers option, passprompt_override exists to force the sudo prompt to be used regardless. This option is now set by default if the -p flag is specified."

I'm not expert on this stuff, but it sounds to me as though passprompt_override could well be the basis for an updated, working gksu(do) without needing to manually patch and compile anything (sudo or pam modules) to perform workarounds. Could somebody please confirm this, and if it is indeed the case, let us all know when we might be able to expect the updated sudo and fixed gksu(do) to be released into the Ubuntu repositories?

Revision history for this message
Erik Gregg (ralree) wrote :

I went ahead and compiled sudo 1.6.9p14 from source, and created a deb using checkinstall. Then, I simply installed it, updating the current sudo version from the repository. Then, I changed the Defaults in my sudoers file by typing `sudo visudo`:

Defaults !lecture,tty_tickets,!fqdn,passprompt_override

After saving, I restarted X and logged in with my finger, and then ran network manager. The prompt popped up! I scanned my finger, and it all worked. Thanks for the suggestion, Maximinius!

I've attached the deb.

Revision history for this message
AndrewC (konig12) wrote :

After a couple of difficulties in editing the sudoers file, (basically learning vim) I got it working according to the directions posted. Thanks for the fix. One thing to note: although the gksu password prompt does not ask for a fingerprint, it will accept the fingerprint. Hope they update this in the repositories soon. (maybe for 8.04?)

Revision history for this message
Justin Dugger (jldugger) wrote :

Can anyone duplicate this problem in hardy? I'm fairly sure this is fixed now.

Revision history for this message
Roberto Leinardi (leinardi) wrote :

I have the same problem using fprint (http://reactivated.net/fprint) on Hardy Heron RC.

Pending a solution, I restored the original common-auth and use the login through fingerprint reader only for the GDM (no sudo or gksu).

Revision history for this message
Maximinus (max-thrax) wrote :

I guess I really should mention that I grabbed and installed Erik's deb, and it started working, even without the change to the Defaults. Thanks, Erik, for supplying the deb.

Revision history for this message
Adrian (ruewan) wrote :

It seems a little worse in hardy. For me, when the gksu just did not work when the PAM configuration was modified. No matter how many times i tried to launch synaptic from the menu it just would not launch. When I launched it from the command prompt using sudo it worked. I tried Uzahnd's solution of modified the finger print prompt to say "Password:". I can log in at GDM using the finger print or password and gksu works. However, sudo in the command line ignores the fingerprint reader when I do this.

Revision history for this message
Justin Dugger (jldugger) wrote :

Can anyone duplicate this using the ubuntu provided thinkfinger packages?

Revision history for this message
Peter Meiser (meiser79) wrote :

Using Hardy's sudo, gksu and thinkfinger packages, it's working out-of-the-box. I think, this bug report can be closed.

Revision history for this message
vnieto (vnieto) wrote :

 Whoopie : This working with another laptop different one to thinkpad?

Revision history for this message
Edwin Shin (eddie) wrote :

This does not work "out-of-the-box" with Hardy's sudo & gksu + fprint. Per the original bug report, unless running gksu from a terminal, the fingerprint prompt (e.g. "Scan left index finger on AuthenTec AES2501") is "invisible".

Revision history for this message
mr_tijn (martijn-devisscher) wrote :

i can confirm it does not work out of the box

i am using a rather fresh hardy install on a thinkpad r52, and installed thinkfinger using procedure for hardy from thinkwiki
(ie using ubuntu provided packages)

same results as Adrian:
it will work from command line eg sudo update-manager
but not from the menu (or, for that matter, just launching update-manager without sudo from command line)

repeating does not help. actually what happens is that sudo segfaults:
excerpt from /var/log/messages when starting update-manager :

Aug 2 14:28:15 think kernel: [ 1606.831798] input: Virtual ThinkFinger Keyboard as /devices/virtual/input/input18
Aug 2 14:28:55 think kernel: [ 3762.393400] sudo[17339]: segfault at b8429fb8 eip b7c87a47 esp b741b5d0 error 6

Changed in gksu (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Nick Andrik (andrikos) wrote :

I think this issue has been solved in the current version of gksu and the bug could be closed
For the interested the details can be found here:
http://www.sudo.ws/bugs/show_bug.cgi?id=180

This bug is not an issue for me any more, can someone else confirm this?

Revision history for this message
Gabe Gorelick (gabegorelick) wrote :

Yeah this is fixed for me in Karmic. Marking as fix released. If anyone else still gets this bug, feel free to reopen.

Changed in gksu (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
jedioetzi (jedioetzi) wrote :

I use karmic, should I update some unstable packages for to have the fix?
Like mr_tijn for some admin tools started from menu (see update-manager, synaptic,..) the credential panel is not shown
Note I use fprint libraries for fingerprint

thanks

Revision history for this message
Gabe Gorelick (gabegorelick) wrote :

@jedioetzi you still experience this bug? What does your /etc/pam.d/auth-common look like? You shouldn't have to update to any unstable packages, just the latest version of Karmic works for me.

Revision history for this message
Gabe Gorelick (gabegorelick) wrote :

As per a discussion with David Jurenka, the underlying problems associated with this bug are still there. ThinkFinger does mostly work (although gksu will only ask for your password, your fingerprint can also be given), but it has to violate PAM's policy against threading. Other fingerprint modules that do follow the standards don't work. The gksu developers have pretty much given up on fixing gksu's innate problems and are now only working on gksu-polkit.

Therefore, this bug should really be marked as Won't Fix, but since only a member of ubuntu-dev can do that, for now I'll put it back to Confirmed.

Changed in gksu (Ubuntu):
status: Fix Released → Confirmed
David Futcher (bobbo)
tags: added: patch-forwarded-upstream
Revision history for this message
JuneHyeon Bae (devunt) wrote :

On ubuntu 13.04, problem appear again.

Revision history for this message
JuneHyeon Bae (devunt) wrote :

with
gksu 2.0.2-6ubuntu2
fprintd 0.4.1-5-g73eda

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.