[Mageia-discuss] beta2 woes and no graphical root (tonyb)

Frank Griffin ftg at roadrunner.com
Fri Apr 13 17:11:54 CEST 2012 

On 04/13/2012 09:33 AM, Oliver Burger wrote:
> And as I did say in this thread. I don't see any action by our KDE 
> team to this effect. Ok, I only scanned over the patches, but I read 
> the changelog and I saw no sign of anyone patching KDM to ignore it.
> So be annoyed with KDE upstream for this change, not with our KDE 
> maintainers.
>
> Of course if someone does find a patch on our side, that does it, feel 
> free to correct me.

OK, just to be definitive, I activated KDM, set AllowRootLogin to true, 
and tried and failed to login as root.  However, KDM may not be the 
culprit.  From /var/log/auth.log:

Here's me logging on as root from a tty to do "service dm restart" (I 
was previously using GDM):

Apr 13 10:13:18 localhost login: pam_tcb(login:auth): Authentication 
passed for root from LOGIN(uid=0)
Apr 13 10:13:18 localhost login: pam_tcb(login:session): Session opened 
for root by root(uid=0)
Apr 13 10:13:18 localhost login: ROOT LOGIN ON tty3
Apr 13 10:13:23 localhost polkitd(authority=local): Unregistered 
Authentication Agent for 
unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name 
:1.320, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, 
locale en_US.UTF-8) (disconnected from bus)

Now here's two attempts at graphical login as root, followed by a 
successful one as ftg:

Apr 13 10:13:38 localhost kdm: :0[22087]: pam_succeed_if(kdm:auth): 
requirement "user ingroup nopasswdlogin" not met by user "root"
Apr 13 10:13:38 localhost kdm: :0[22087]: pam_tcb(kdm:auth): 
Authentication passed for root from (uid=0)
Apr 13 10:13:47 localhost kdm: :0[22087]: pam_succeed_if(kdm:auth): 
requirement "user ingroup nopasswdlogin" not met by user "root"
Apr 13 10:13:47 localhost kdm: :0[22087]: pam_tcb(kdm:auth): 
Authentication passed for root from (uid=0)
Apr 13 10:13:58 localhost kdm: :0[22087]: pam_succeed_if(kdm:auth): 
requirement "user ingroup nopasswdlogin" not met by user "ftg"
Apr 13 10:13:58 localhost kdm: :0[22087]: pam_tcb(kdm:auth): 
Authentication passed for ftg from (uid=0)
Apr 13 10:13:58 localhost kdm: :0[22087]: pam_tcb(kdm:session): Session 
opened for ftg by ftg(uid=0)

Note that in the tty login for root and the graphical login for ftg, 
there are pam_tcb(kdm:session) entries, while there are none for the 
failed graphical root logins.

It's still possible that this is being done by KDM, but googling turns 
up nothing about AllowRootLogin being dropped by upstream.  On the 
contrary, "true" is the default on OpenSUSE and you can find here:

http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7007124&sliceId=1&docTypeID=DT_TID_1_1

an open bug in the Novell bugtracker complaining that root login is 
still possible even if you set AllowRootLogin to false, because some 
SUSE-specific script sets it back to true.

So, I don't think this was an upstream KDM change.  From the above, it's 
probably something in pam, so let's look there:

[root at ftgme2 ftg]# cat /etc/pam.d/kdm
#%PAM-1.0
auth       required    pam_env.so
auth       required    pam_succeed_if.so user != root quiet
auth       sufficient  pam_succeed_if.so user ingroup nopasswdlogin
auth       substack    system-auth
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    required    pam_loginuid.so
session    include     system-auth
session    optional    pam_console.so
session    required    pam_namespace.so
[root at ftgme2 ftg]#

Well. well.  Turns out this file is owned by mageia-kde4-config-common.  
And it also turns out that if you comment out that third line, graphical 
root login works just fine.

Looking in the changelog, one finds:

         * Thu Sep 22 2011 mikala <mikala> 2-0.20110921.1.mga2
         + Revision: 146549
         - Use directory.trash to create the trash.desktop & remove SOURCE4
         - Fix rpmlint warnings
          - use dolphin as a temporary workaround for Home2.desktop
         - Switch to oxygen instead of iaora for Default & Netbook 
config file
         - Add pam files for kdm,kcheckpass & kscreensaver in common 
config file
         - Update version to 2 (we're on Mageia 2)
         - Add mgabutton as symlink for start-here-kde in the vanilla 
theme to have the ?\194?\171 upstream ?\194?\187 icon since we're 
patching kdebase4-workspace
         - Fix Provides for common package
         - Update tarball to fix default kdm & ksplash for vanilla flavour
         - Use correct prefix for vanilla
         - Follow luc menut suggestion for kde prefix use
         - More progress on  vanilla flavour :
          - move configurations files from common to Default/netbook flavors
          - remove useless configuration files
          - sync dolphinuirc with upstream
          - fix alternatives for kde4-config & kdm-config vanilla flavour

Unfortunately, this doesn't say which package owned the pam files before 
that, so it's unclear whether they were changed before this.

So the OP wasn't dreaming, this wasn't an upstream policy change, and it 
was a deliberate decision on somebody's part here.  And now you know how 
to disable it if you want.

More information about the Mageia-discuss mailing list