Apport hook prompts 3 times for password

Bug #716595 reported by Bryce Harrington on 2011-02-10
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apport (Ubuntu)
Medium
Martin Pitt
xorg (Ubuntu)
Medium
Bryce Harrington

Bug Description

Binary package hint: xorg

Noticed after requesting the gdm logs, the xorg apport hook displays 3 password prompts.

Probably one each for the three gdm files it's attaching. Guessing it should do the copies all in one operation?

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: xorg 1:7.6~3ubuntu3
ProcVersionSignature: Ubuntu 2.6.38-2.29-generic-pae 2.6.38-rc3
Uname: Linux 2.6.38-2-generic-pae i686
Architecture: i386
CompisitorRunning: None
CompizPlugins: [core,bailer,detection,composite,opengl,decor,mousepoll,vpswitch,regex,animation,snap,expo,move,compiztoolbox,place,grid,gnomecompat,wall,ezoom,workarounds,staticswitcher,resize,fade,scale,session,unityshell]
DRM.card0.DIN.1:
 status: disconnected
 enabled: disabled
 dpms: Off
 modes:
 edid-base64:
Date: Thu Feb 10 10:45:34 2011
DistUpgraded: Fresh install
DistroCodename: natty
DistroVariant: ubuntu
GraphicsCard: Subsystem: PC Partner Limited Sapphire HD 4850 512MB GDDR3 PCI-E Dual Slot Fansink [174b:e810]
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Alpha i386 (20110202)
MachineType: Gigabyte Technology Co., Ltd. P67A-UD4
ProcEnviron:
 LANGUAGE=en_US:en
 PATH=(custom, user)
 LANG=C
 SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.38-2-generic-pae root=UUID=2b238928-f3f1-4074-b551-2cceff54c6a4 ro quiet splash vt.handoff=7
Renderer: Hardware acceleration
SourcePackage: xorg
dmi.bios.date: 11/25/2010
dmi.bios.vendor: Award Software International, Inc.
dmi.bios.version: F4
dmi.board.name: P67A-UD4
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.modalias: dmi:bvnAwardSoftwareInternational,Inc.:bvrF4:bd11/25/2010:svnGigabyteTechnologyCo.,Ltd.:pnP67A-UD4:pvr:rvnGigabyteTechnologyCo.,Ltd.:rnP67A-UD4:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvr:
dmi.product.name: P67A-UD4
dmi.sys.vendor: Gigabyte Technology Co., Ltd.
version.compiz: compiz 1:0.9.2.1+glibmainloop4-0ubuntu10
version.libdrm2: libdrm2 2.4.23-1ubuntu3
version.libgl1-mesa-glx: libgl1-mesa-glx 7.10-1ubuntu1
version.xserver-xorg: xserver-xorg 1:7.6~3ubuntu3
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.13.2+git20110124.fadee040-0ubuntu4
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.14.0-1ubuntu6
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20110107+b795ca6e-0ubuntu4

Bryce Harrington (bryce) wrote :
Bryce Harrington (bryce) wrote :

Unfortunately, in looking into this it's not easy to fix, at least not in the apport hook itself.

The code in question is:
 report['GdmLog'] = root_collect_file_contents('/var/log/gdm/:0.log')
        report['GdmLog1'] = root_collect_file_contents('/var/log/gdm/:0.log.1')
        report['GdmLog2'] = root_collect_file_contents('/var/log/gdm/:0.log.2')

Each of the root_collect_file_contents() calls essentially calls and return root_command_output(['cat', path]). root_command_output() is one of the stock apport lib routines.

So the question is, why isn't root_command_output() caching the sudo permission from one call to the next?

Changed in xorg (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Bryce Harrington (bryce) wrote :

@Martin, do you have a suggestion for how to better attach three files as separate apport items without incurring three password prompts?

Indeed it works when running without $DISPLAY, i. e. apport calls sudo directly. But it doesn't seem to cache credentials when using gksu, as this creates new PTYs (to run sudo in) every time.

We could provide a new API root_commands_output to accept a keyname -> [command list] and slurp in all command outputs in one go. The xorg hook could then use that.

summary: - Apport hook prompts 3 times for password
+ consecutive root_command_output() calls ask for password each time
Martin Pitt (pitti) wrote :

That seems to be a rather interesting gksu bug or misbehaviour: "gksu whoami" does cache the password through sudo, but "gksu whoami > /tmp/o" doesn't. So the output redirection breaks this somehow.

Martin Pitt (pitti) wrote :

(Note that "sudo whoami > /tmp/o" just works fine).

Martin Pitt (pitti) wrote :

OK, this is definitively gksu breakage when searchign for the password prompt. Let's fix it at the proper place.

Changed in apport (Ubuntu):
status: New → Invalid
affects: xorg (Ubuntu) → gksu (Ubuntu)
Changed in gksu (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
summary: - consecutive root_command_output() calls ask for password each time
+ gksu ask for password each time with stdout redirection

The root cause of this is sudo itself, after all. It seems to check if any of stdin/out/err is a real PTY and grab the ticket if available. But if all of stdin/out/err are redirected, it doesn't respect the sudo tickets any more either:

  cat | /usr/bin/sudo whoami 2>&1 |cat

always asks for a password. libgksu needs to provides stdin for the password, and redirect stderr for checking if the password was correct. If you now additionally redirect stdout as well, there is no fd left to check the PTY with.

There seems to be another mode with "forkpty()", I'll check this.

Martin Pitt (pitti) wrote :

So, we can't fix that in sudo or libgksu; with "forkpty" it's even worse, as a new TTY will be allocated every time.

Restoring back to xorg (for updating the hook) and apport (for providing better API).

summary: - gksu ask for password each time with stdout redirection
+ Apport hook prompts 3 times for password
affects: gksu (Ubuntu) → xorg (Ubuntu)
Changed in apport (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → Medium
status: Invalid → Triaged

On Tue, Feb 15, 2011 at 04:15:18PM -0000, Martin Pitt wrote:
> Restoring back to xorg (for updating the hook) and apport (for providing
> better API).

What is your recommendation for how we can work around this in the hook?
(Or should I wait for the better API?)

Martin Pitt (pitti) wrote :

Bryce Harrington [2011-02-15 20:16 -0000]:
> What is your recommendation for how we can work around this in the hook?

You need to cat all gdm log files at once, and then pick them apart
yourself (or just store them in one key).

I have to think about how to run multiple programs and store their
individual outputs in one go. I have an idea, but it will take some
more effort to implement. I hope I can get to that in the next week,
though.

--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)

Martin Pitt (pitti) wrote :

Fixed upstream. I added a new method

def attach_root_command_outputs(report, command_map):
    '''Execute multiple commands as root and put their outputs into report.

    command_map is a keyname -> 'shell command' dictionary with the commands to
    run. They are all run through /bin/sh, so you need to take care of shell
    escaping yourself. To include stderr output of a command, end it with
    "2>&1".

    Just like root_command_output() this will use gksu, kdesudo, or sudo for
    gaining root privileges, depending on the running desktop environment.

    This is preferrable to using root_command_output() multiple times, as that
    will ask for the password every time.
    '''

Changed in apport (Ubuntu):
status: Triaged → Fix Committed
Martin Pitt (pitti) wrote :

This patch against the current hook uses the new API. Bryce, as I can't commit to the xorg git, would you mind committing/uploading this yourself? Thanks!

Martin Pitt (pitti) on 2011-02-16
Changed in xorg (Ubuntu):
assignee: Martin Pitt (pitti) → Bryce Harrington (bryce)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 1.18-0ubuntu1

---------------
apport (1.18-0ubuntu1) natty; urgency=low

  [ Martin Pitt ]
  * New upstream release:
    - Ensure that symptom scripts define a run() function, and don't show them
      if not.
    - Do not show symptom scripts which start with an underscore. These can be
      used for private libraries for the actual symptom scripts.
    - Update bash completion. Thanks Philip Muškovac.
    - etc/default/apport: Remove obsolete "maxsize" setting. (LP: #719564)
    - Remove explicit handling of KDE *.ui files in setup.py, as
      python-distutils-extra 2.24 fixes this. Bump version check.
    - hookutils.py: Add attach_root_command_outputs() to run several commands
      at once. This avoids asking for the password several times.
      (LP: #716595)
  * debian/apport.postinst: Add missing debhelper token.
  * debian/rules: Drop dump_acpi_tables.py chmod workaround, it's upstream now
    and has the proper permissions.
  * Add etc/apport/blacklist.d/apport and drop the creation of it in
    /debian/rules. This is easier to maintain and more obvious. Also move
    README.blacklist from python-apport to apport, it fits better there.
  * etc/apport/blacklist.d/apport: Add the binaries of nspluginwrapper, as we
    can't do anything about them anyway. (LP: #717468)

  [ Brian Murray ]
  * data/package-hooks/source_linux.py: Properly set regression-release tag if
    the reporter chooses "I do not know".
 -- Martin Pitt <email address hidden> Wed, 16 Feb 2011 14:29:36 +0100

Changed in apport (Ubuntu):
status: Fix Committed → Fix Released
tags: added: patch
Bryce Harrington (bryce) on 2011-02-17
Changed in xorg (Ubuntu):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg - 1:7.6~3ubuntu5

---------------
xorg (1:7.6~3ubuntu5) natty; urgency=low

  * apport/source_xorg.py:
    - Add 'locale' information (for keyboards)
    - Drop 'glxinfo' since it's been demoted to universe (LP: #714784)
    - Switch to new attach_root_command_outputs() call. Prevents prompting
      for password 3 times for 3 gdm files (thanks Pitti!) (LP: #716595)
 -- Bryce Harrington <email address hidden> Thu, 17 Feb 2011 11:42:58 -0800

Changed in xorg (Ubuntu):
status: Fix Committed → Fix Released
Avi Greenbury (bigreds) wrote :

I still get this sort of behaviour - I was asked once for a password for the video data and again for the data for my kernel. This is on 12.04 when Compiz crashed.

Bryce Harrington (bryce) wrote :

On Thu, Feb 09, 2012 at 06:27:11PM -0000, Avi Greenbury wrote:
> I still get this sort of behaviour - I was asked once for a password for
> the video data and again for the data for my kernel. This is on 12.04
> when Compiz crashed.

The way apport works, it can't hold onto the root password between
function calls. This bug was "solved" by attaching all three gdm files
in one function call.

However, the display manager data and the kernel data require separate
function calls, and since both require sudo to do so, you get prompted
twice. Still an undesired behavior, but not this bug.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers