modifying PAM configuration could break gksu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| GKSu |
Unknown
|
Unknown
|
||
| gksu (Ubuntu) |
Medium
|
Unassigned | ||
Bug Description
Binary package hint: gksu
If you modify PAM configuration to act differently, gksu could become unusable.
For example, see https:/
(in /etc/pam.
auth sufficient pam_thinkfinger.so
auth required pam_unix.so try_first_pass nullok_secure
With this configuration, Login in console, GDM and su will work perfectly and ask you either for your password or your fingerprint.
Unfortunatly, gksu will become "invisible". In fact, the sentence "enter your password or swipe your finger" will appear in the console from which you are launching gksu. As, most of the time, you are not launching gksu from a console but from an icon, you will see nothing and your application will not start. Anyway, it is still working because if you know it and swipe your finger, your application will eventually appear. So gksu is still listenning. It is just "invisible".
Changed in gksu: | |
importance: | Undecided → Medium |
Mark Reitblatt (mark-reitblatt) wrote : | #2 |
Upstream bug: http://
Unfortunately, Launchpad doesn't yet support Savannah.
nclm (nclm) wrote : | #3 |
I can confirm this too. But starting a application which starts gksu such as synaptic will prompt up gksu and ask you for the password
nclm (nclm) wrote : | #4 |
starting a application twice!! ... sorry for that
Håvard H. Garnes (hhgarnes) wrote : | #5 |
On my installation of Feisty, gksu is unusable as well as invisible, e.g. if I scan my finger when invisible, things won't start at all. In fact I have to do "killall gksu" for things to happen, and if I then try again to start things, I either get a password-prompt (not with "or scan your finger" - this typically happens when I run the update-managet) or things start fine (if I run gksu from a console)
Bug #52018 might be a duplicate of this bug.
Eddie Hung (eddieh) wrote : | #7 |
I am also experiencing this bug. I have a IBM Thinkpad X41, and running the latest version of Feisty, clean installed, and using thinkfinger, following the guide on the Ubuntu wiki.
Logging in via gdm works fine.
sudo from a terminal works fine.
gksudo does not appear - and even after swiping a finger, the application does not appear.
A "killall gksu" is required in order to execute the application. If this is not done, then further sudo-s and gksudo-s will function as they did without fingerprinting - ie. sudo will not ask for a fingerprint, and gksudo will appear and ask for a password, as it did before.
If gksudo was run from the console, then a Ctrl+C will do the same job. The fingerprint is correctly verified though, as killing gksu without a valid fingerprint will not launch the application.
Does anyone know where this bug lies? With gksudo (and it's implementation?) I have googled a fair bit for this - and collected many opinions. One is that gksu/gksudo does not have permission to grab the screen because it is being executed by pam_thinkfinger which is being run as root. Does anyone know if this bug applies to any other distros, or is it specific to Ubuntu too?
Eddie Hung (eddieh) wrote : | #8 |
I would also like to add that I've been trying with the bioapi implementation - with the UBEK binary driver and pam_bioapi - which seems to be slightly more successful.
The UBEK binary driver implements a (ugly, but functional) fingerprint dialog (rather than relying on the user application to say "Password or swipe finger") - and it is my belief that it is a userspace implementation rather than one requiring root permissions. With this, a dialog does appear, which after a successful authentication, gksudo will exit as normal and the application requested will be executed - unlike with pam_thinkfinger currently.
Regarding this bug, it might be worth pointing out the similarity between this and: https:/
uzahnd (uzahnd) wrote : | #9 |
This problem can be solved by changing the password prompt in /pam/pam_
Eddie Hung (eddieh) wrote : | #10 |
The underlying problem is still with sudo/gksu - it should be able to take into account prompts other than "Password:"!
Nick Andrik (andrikos) wrote : | #11 |
One idea is that every program is free to set its prompt for the terminal (e.g. Password or swipe your finger: ) but use the traditional "Password: " elsewhere (e.g. for graphical environment).
You can find a patch for the pam_thinkfinger.c attached.
Eddie Hung (eddieh) wrote : | #12 |
That's a nice and simple patch - however, the fact remains that the whole implementation of gksu is flawed: it is a wrapper around sudo, under the assumption that sudo does not use any other PAM but the default. For example, gdm correctly shows "Password or swipe finger" - as gksudo should. This patch only fixes pam_thinkfinger, and if you are using pam_bioapi, which does something a little differently (it only implements the fingerprinting - it does not accept a password - I've set it up so that if fingerprint fails then sudo falls back onto the normal password prompt) - then a patch of this type would not work.
I have wrote what I think in a similar bug: https:/
Andy Hopper (andy-hoppersoft) wrote : | #13 |
I can confirm this fails under Gutsy as well when using pam_winbind.
Wladston Viana (wladston) wrote : | #14 |
I'm just commenting to raise the importance of the bug (instead of reporting a duplicate). Let's hope it gets fixed soon.
AndrewC (konig12) wrote : | #15 |
I am experiencing the problem as well. Hopefully a fix can be found for this, because the fingerprint functionality is quite useful, and this is a major annoyance.
+1
Maximinus (max-thrax) wrote : | #17 |
I've been wanting a solution for this for some time, since it would be nice to be able to not only log in by swiping my finger, but get to the network management dialog with it - since I use my laptop at home and at work, needing to change network profiles between the two.
I've just been looking through the bug on sudo (http://
I'm not expert on this stuff, but it sounds to me as though passprompt_override could well be the basis for an updated, working gksu(do) without needing to manually patch and compile anything (sudo or pam modules) to perform workarounds. Could somebody please confirm this, and if it is indeed the case, let us all know when we might be able to expect the updated sudo and fixed gksu(do) to be released into the Ubuntu repositories?
Erik Gregg (ralree) wrote : | #18 |
I went ahead and compiled sudo 1.6.9p14 from source, and created a deb using checkinstall. Then, I simply installed it, updating the current sudo version from the repository. Then, I changed the Defaults in my sudoers file by typing `sudo visudo`:
Defaults !lecture,
After saving, I restarted X and logged in with my finger, and then ran network manager. The prompt popped up! I scanned my finger, and it all worked. Thanks for the suggestion, Maximinius!
I've attached the deb.
AndrewC (konig12) wrote : | #19 |
After a couple of difficulties in editing the sudoers file, (basically learning vim) I got it working according to the directions posted. Thanks for the fix. One thing to note: although the gksu password prompt does not ask for a fingerprint, it will accept the fingerprint. Hope they update this in the repositories soon. (maybe for 8.04?)
Justin Dugger (jldugger) wrote : | #20 |
Can anyone duplicate this problem in hardy? I'm fairly sure this is fixed now.
Roberto Leinardi (leinardi) wrote : | #21 |
I have the same problem using fprint (http://
Pending a solution, I restored the original common-auth and use the login through fingerprint reader only for the GDM (no sudo or gksu).
Maximinus (max-thrax) wrote : | #22 |
I guess I really should mention that I grabbed and installed Erik's deb, and it started working, even without the change to the Defaults. Thanks, Erik, for supplying the deb.
Adrian (ruewan) wrote : | #23 |
It seems a little worse in hardy. For me, when the gksu just did not work when the PAM configuration was modified. No matter how many times i tried to launch synaptic from the menu it just would not launch. When I launched it from the command prompt using sudo it worked. I tried Uzahnd's solution of modified the finger print prompt to say "Password:". I can log in at GDM using the finger print or password and gksu works. However, sudo in the command line ignores the fingerprint reader when I do this.
Justin Dugger (jldugger) wrote : | #24 |
Can anyone duplicate this using the ubuntu provided thinkfinger packages?
Whoopie (whoopie79) wrote : | #25 |
Using Hardy's sudo, gksu and thinkfinger packages, it's working out-of-the-box. I think, this bug report can be closed.
vnieto (vnieto) wrote : | #26 |
Whoopie : This working with another laptop different one to thinkpad?
Edwin Shin (eddie) wrote : | #27 |
This does not work "out-of-the-box" with Hardy's sudo & gksu + fprint. Per the original bug report, unless running gksu from a terminal, the fingerprint prompt (e.g. "Scan left index finger on AuthenTec AES2501") is "invisible".
mr_tijn (martijn-devisscher) wrote : | #28 |
i can confirm it does not work out of the box
i am using a rather fresh hardy install on a thinkpad r52, and installed thinkfinger using procedure for hardy from thinkwiki
(ie using ubuntu provided packages)
same results as Adrian:
it will work from command line eg sudo update-manager
but not from the menu (or, for that matter, just launching update-manager without sudo from command line)
repeating does not help. actually what happens is that sudo segfaults:
excerpt from /var/log/messages when starting update-manager :
Aug 2 14:28:15 think kernel: [ 1606.831798] input: Virtual ThinkFinger Keyboard as /devices/
Aug 2 14:28:55 think kernel: [ 3762.393400] sudo[17339]: segfault at b8429fb8 eip b7c87a47 esp b741b5d0 error 6
Changed in gksu (Ubuntu): | |
status: | Confirmed → Triaged |
Nick Andrik (andrikos) wrote : | #29 |
I think this issue has been solved in the current version of gksu and the bug could be closed
For the interested the details can be found here:
http://
This bug is not an issue for me any more, can someone else confirm this?
Gabe Gorelick (gabegorelick) wrote : | #30 |
Yeah this is fixed for me in Karmic. Marking as fix released. If anyone else still gets this bug, feel free to reopen.
Changed in gksu (Ubuntu): | |
status: | Triaged → Fix Released |
jedioetzi (jedioetzi) wrote : | #31 |
I use karmic, should I update some unstable packages for to have the fix?
Like mr_tijn for some admin tools started from menu (see update-manager, synaptic,..) the credential panel is not shown
Note I use fprint libraries for fingerprint
thanks
Gabe Gorelick (gabegorelick) wrote : | #32 |
@jedioetzi you still experience this bug? What does your /etc/pam.
Gabe Gorelick (gabegorelick) wrote : | #33 |
As per a discussion with David Jurenka, the underlying problems associated with this bug are still there. ThinkFinger does mostly work (although gksu will only ask for your password, your fingerprint can also be given), but it has to violate PAM's policy against threading. Other fingerprint modules that do follow the standards don't work. The gksu developers have pretty much given up on fixing gksu's innate problems and are now only working on gksu-polkit.
Therefore, this bug should really be marked as Won't Fix, but since only a member of ubuntu-dev can do that, for now I'll put it back to Confirmed.
Changed in gksu (Ubuntu): | |
status: | Fix Released → Confirmed |
tags: | added: patch-forwarded-upstream |
JuneHyeon Bae (devunt) wrote : | #34 |
On ubuntu 13.04, problem appear again.
JuneHyeon Bae (devunt) wrote : | #35 |
with
gksu 2.0.2-6ubuntu2
fprintd 0.4.1-5-g73eda
I can confirm this.
dpkg -l gksu
ii gksu 1.9.3-1ubuntu2