Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1653023
Summary: | PAM update in F30 breaks sudo | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephen Gallagher <sgallagh> |
Component: | pam | Assignee: | Björn 'besser82' Esser <besser82> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | rawhide | CC: | besser82, lslebodn, ngompa13, puiterwijk, robatino, sgallagh, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pam-1.3.1-10.fc30 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-11-25 13:37:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1574713 |
Description
Stephen Gallagher
2018-11-24 16:20:16 UTC
Proposed as a Blocker for 30-beta by Fedora user sgallagh using the blocker tracking app because: I'm not sure which specific criterion to cite, as non-functional "sudo" breaks a huge swath of administrative functionality. I suppose "The installed system must be able appropriately to install, remove, and update software with the default console tool for the relevant software type (e.g. default console package manager). This includes downloading of packages to be installed/updated." might be appropriate, since if you didn't set a root password in Anaconda, it will be impossible to run `dnf install` or `dnf update`. And a little bit more verbose output Before upgrade: [build@4ed54a2218eb tmp]$ sudo su -c "ls /root" anaconda-ks.cfg anaconda-post.log original-ks.cfg [build@4ed54a2218eb tmp]$ sudo -l Matching Defaults entries for build on 4ed54a2218eb: !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bi n User build may run the following commands on 4ed54a2218eb: (ALL : ALL) NOPASSWD: /usr/bin/dnf --assumeyes --best --setopt\=install_weak_deps\=False install -- * Upgrade: [build@4ed54a2218eb tmp]$ sudo su -c "dnf update -y pam\*" Last metadata expiration check: 0:01:07 ago on Sat Nov 24 18:32:24 2018. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Upgrading: pam x86_64 1.3.1-9.fc30 rawhide 629 k pam-devel x86_64 1.3.1-9.fc30 rawhide 148 k Transaction Summary ================================================================================ Upgrade 2 Packages Total download size: 778 k Downloading Packages: (1/2): pam-devel-1.3.1-9.fc30.x86_64.rpm 65 kB/s | 148 kB 00:02 (2/2): pam-1.3.1-9.fc30.x86_64.rpm 204 kB/s | 629 kB 00:03 -------------------------------------------------------------------------------- Total 252 kB/s | 778 kB 00:03 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Upgrading : pam-1.3.1-9.fc30.x86_64 1/4 Running scriptlet: pam-1.3.1-9.fc30.x86_64 1/4 Upgrading : pam-devel-1.3.1-9.fc30.x86_64 2/4 Cleanup : pam-devel-1.3.1-8.fc30.x86_64 3/4 Cleanup : pam-1.3.1-8.fc30.x86_64 4/4 Running scriptlet: pam-1.3.1-8.fc30.x86_64 4/4 Verifying : pam-1.3.1-9.fc30.x86_64 1/4 Verifying : pam-1.3.1-8.fc30.x86_64 2/4 Verifying : pam-devel-1.3.1-9.fc30.x86_64 3/4 Verifying : pam-devel-1.3.1-8.fc30.x86_64 4/4 Upgraded: pam-1.3.1-9.fc30.x86_64 pam-devel-1.3.1-9.fc30.x86_64 Complete! And broken after upgrade: [build@4ed54a2218eb tmp]$ sudo -l Matching Defaults entries for build on 4ed54a2218eb: !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User build may run the following commands on 4ed54a2218eb: (ALL : ALL) NOPASSWD: /usr/bin/dnf --assumeyes --best --setopt\=install_weak_deps\=False install -- * (ALL : ALL) NOPASSWD: /bin/su [build@4ed54a2218eb tmp]$ sudo su -c "ls /root" sudo: pam_open_session: System error sudo: policy plugin failed session initialization (In reply to Stephen Gallagher from comment #0) > Actual results: > The first sudo works fine. After updating PAM, it returns "sudo: Password > expired, contact your system administrator" > In both cases, it happens in container and I can say that build user does not have any password. It works well if user has passwod but use is used with NOPASSWD so it is not required. Can you please check and confirm the issue is solved (and no other regressions are introduced) with this [1] scratch build? [1] https://koji.fedoraproject.org/koji/taskinfo?taskID=31094383 I can confirm that the scratch-build fixes this issue. Can we get that into a proper build ASAP? As noted in the original post, numerous CI systems depend on sudo working on the Rawhide container image, so it would be good to land this in the Rawhide compose right away (and adjust it later if the upstream review results in changes). Thank you for testing and confirming the fix, Stephen! "Real" build for Rawhide is running. I just wanted to wait for an external confirmation before pulling the trigger. |