242065 – kdm overwrites ~/.Xauthority with wrong SELinux context on logout

Bug 242065 - kdm overwrites ~/.Xauthority with wrong SELinux context on logout

Summary: kdm overwrites ~/.Xauthority with wrong SELinux context on logout

Status:	RESOLVED UNMAINTAINED

Alias:	None

Product:	kdm
Classification:	Unmaintained
Component:	general (show other bugs)
Version:	unspecified
Platform:	Fedora RPMs Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	kdm bugs tracker

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-06-18 13:05 UTC by kavol
Modified:	2018-04-16 20:23 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
bail out of removeUserAuthorization if d->forceUserAuthDir set (712 bytes, patch) 2012-01-03 20:51 UTC, Rex Dieter	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description kavol 2010-06-18 13:05:34 UTC

Version: unspecified (using Devel)
OS: Linux

On logout, kdm overwrites file ~/.Xauthority with wrong SELinux contexts, thus preventing e.g. ssh daemon to write xauth data into it when logging over ssh with X forwarding enabled. As a consequence, X programs cannot be run over ssh due to wrong credentials.

Reproducible: Always

Steps to Reproduce:
1. Install a system with SELinux enabled - I've done my testing on Fedora (12, 13).
2. Log in via ssh with X forwarding enabled, log out.
3. Log in locally via kdm, log out.
4. Log in via ssh again.

Actual Results:
2.
$ ssh -p 2222 virtual@localhost
virtual@localhost's password:
Last login: Fri Jun 18 12:45:23 2010 from 10.0.2.2
/usr/bin/xauth: creating new authority file /home/virtual/.Xauthority
[virtual@virtual ~]$ ls -lZ .Xauthority
-rw-------. virtual virtual unconfined_u:object_r:xauth_home_t:s0 .Xauthority

4.
$ ssh -p 2222 virtual@localhost
virtual@localhost's password:
Last login: Fri Jun 18 12:54:04 2010
/usr/bin/xauth: /home/virtual/.Xauthority not writable, changes will be ignored
[virtual@virtual ~]$ ls -lZ .Xauthority
-rw-------. virtual virtual system_u:object_r:xdm_home_t:s0 .Xauthority

Expected Results:
xauth should be able to write to ~/.Xauthority - the selinux type should not change from xauth_home_t to xdm_home_t

This was originally reported as Fedora bug #567914 (https://bugzilla.redhat.com/show_bug.cgi?id=567914)

Based on comments #15 and #16, it seems the real cause of the problem is that under some circumstances, kdm uses ~/.Xauthority instead of an authority file put into /var/run/kdm dir.

Note, the bugzilla field KDE Version does not allow me to specify KDE 4.4.4 - the package version I've just verified the bug presence with is kdm-4.4.4-1.fc13.x86_64

Comment 1 Oswald Buddenhagen 2010-07-31 21:44:24 UTC

the reason for that is pretty obvious and not particularly unexpected: kdm (like xdm) just creates a new file with the modified contents and then renames it over the old file, having absolutely no knowledge of selinux. wouldn't it be the task of pam_selinux to set up things appropriately, so kdm doing its normal thing would Just Work?

Comment 2 Oswald Buddenhagen 2010-10-24 18:23:31 UTC

i'll close this wontfix if no interested party investigates the correct solution.

Comment 3 ramesses21 2011-12-16 05:17:26 UTC

I am having this same problem with F16 kdm-4.7.2-14. After working on this problem with some members of fedora forum, it was brought to my attention this is a bug and I feel that many people would like to see it fixed. However I think the selinux context label of ~/.Xauthority is actually changed on log-in. To view the thread I started at fedora forum visit http://forums.fedoraforum.org/showthread.php?t=271762&page=3

Comment 4 Rex Dieter 2011-12-16 12:49:33 UTC

For what it's worth, fedora now defaults to kdmrc including:
UserAuthDir=/var/run/kdm
ForceUserAuthDir=true

so, I'm a little surprised how this (problems with ~/.Xauthority) is still happening in some cases.

Comment 5 Rex Dieter 2012-01-03 19:53:14 UTC

Digging further, I think I see in auth.c, a case where StartuserAuth gets called unconditionally from removeuserAuthorization , which seems to match up with symptoms reported where a mysterious (and empty)
~/.Xauthority
gets created on log out.

Comment 6 Rex Dieter 2012-01-03 20:34:24 UTC

So, I think I've discovered a side-effect, that removeUserAuthorization doesn't process anything != ~/.Xauthority

Not sure how bad that is... though, given that this behavior has been around for quite awhile, maybe not so much.

so, for now, I'm going to simply try to make removeUserAuthorization bail out if forceUserAuthDir is true (could add extra paranoia, say if XAUTHORITY env is also set)

Comment 7 Rex Dieter 2012-01-03 20:51:52 UTC

Created attachment 67412 [details]
bail out of removeUserAuthorization if d->forceUserAuthDir set

Initial and naive workaround.  I'm guessing removeUserAuthorization probably ought to handle != ~/.Xauthority too

Comment 8 Alex Lushpai 2014-10-02 09:52:36 UTC

KDE 4.14
problem still here

Comment 9 Rex Dieter 2014-10-02 18:10:28 UTC

Alex, you're experiencing this bug on fedora?  If not, I'd encourage you to consider configuring kdmrc per comment #4 and apply the patch from comment #7

Comment 10 Alex Lushpai 2014-10-03 09:52:06 UTC

Hi Rex!
I'm using Debian Jessie, already try config from comment #4, it does not working.
I'll try to apply the patch in the next 2-3 days.

Comment 11 Nate Graham 2018-04-16 20:23:03 UTC

KDM is unmaintained and not used in KDE Plasma 5.

SDDM is the login manager used in KDE Plasma 5. If you still have this same issue with SDDM, please file an issue on the SDDM bugtracker (after doing a search for existing issues first!): https://github.com/sddm/sddm/issues/