YaST modules fail to start from within yast2

This document (7008908) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 11 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 1

Situation

After updating libgnomesu to version 1.0.0-307.8.1, the graphical version of YaST (yast2) fails to launch individual modules when running under Gnome when logged in as a user other than root. When logged in as the root user the YaST menu selection will not launch the Control Center at all. If yast2 is started from a terminal, the following message may be seen:

** (y2controlcenter-gnome:22962): WARNING **: error accessing /apps/yast-control-center/cc_exit_shell_on_action_start
 [Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking
 for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information.
 (Details -  1: Failed to get connection to session: Did not receive a reply. Possible causes include: the remote
 application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired,
 or the network connection was broken.)]

Resolution

To resolve this problem, edit the /root/.xauth/export file and add 'root' to the list of users. The final version of this file should appear as follows:

# cat /root/.xauth/export
  suse-ncc
  root

Alternative method to resolve:

  -zypper in libgnomesu-1.0.0-307.5.12
 -Take option 1 to downgrade the package
 -Logout, then back in and it should work.

Additional Information

The root of this issue is the use of pam_xauth by libgnomesu to pass X authority to processes. When running yast2, the user is prompted for root credentials and libgnomesu changes credentials. This initial user switch also passes the authority (or ability) to write to the user's graphical environment to the root user. However, when individual YaST modules are called, this X authority is not being passed to sub-processes. Adding 'root' to the /root/.xauth/export file allows this and resolves the problem.

More applicable pam debug messages can be seen by editing /etc/pam.d/gnomesu-pam, and adding 'debug' after pam_xauth.so. This debug setting writes the following messages to /var/log/messages during a failure:

gnomesu-pam-backend: pam_xauth(gnomesu-pam:session): requesting user 1000/100, target user 0/0
gnomesu-pam-backend: pam_xauth(gnomesu-pam:session): /home/jdoe/.xauth/export does not exist, ignoring
gnomesu-pam-backend: pam_xauth(gnomesu-pam:session): /root/.xauth/import does not exist, ignoring
gnomesu-pam-backend: pam_xauth(gnomesu-pam:session): reading keys from `/var/run/gdm/auth-for-jdoe-d2Nfrs/database'
gnomesu-pam-backend: pam_xauth(gnomesu-pam:session): running "/usr/X11R6/bin/xauth -f /var/run/gdm/auth-for-jdoe-d2Nfrs/database nlist :0.0" as 1000/100
gnomesu-pam-backend: pam_xauth(gnomesu-pam:session): writing key `0100 00096c6f63616c686f7374 0001 30 0012 4d49542d4d414749432d434f4f4b49452d31 0010 2c1157787535f34af96c25beb8fd7d39 ' to temporary file `/root/.xauthAjHi2t'
gnomesu-pam-backend: pam_xauth(gnomesu-pam:session): running "/usr/X11R6/bin/xauth -f /root/.xauthAjHi2t nmerge -" as 0/0
gnomesu-pam-backend: pam_xauth(gnomesu-pam:session): requesting user 0/0, target user 0/0
gnomesu-pam-backend: pam_xauth(gnomesu-pam:session): root not listed in /root/.xauth/export

This problem was introduced by a change in libgnomesu to use pam_xauth instead of setting X credentials. The work around of requiring 'root' in /root/.xauth/export has been reported as a bug, which is expected to be resolved in a future maintenance patch for SLE11 SP1.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.