
OPERATIONAL DEFECT DATABASE
...

...
What were you trying to do that didn't work? Bug related to the issue. Errata came on RHEL 8.4 - [1866866 - PAM can't identify the user when running via gnome-terminal in an X session](https://bugzilla.redhat.com/show_bug.cgi?id=1866866) However, something changed and the behavior are still present. Please provide the package NVR for which bug is seen: RHEL8.5: pam 1.3.1-15.el8 - correct behaviour RHEL9.1: 1.5.1-12.el9 and 1.5.1-15.el9 (9.3) exhibit the same problem Steps to Reproduce: 1. Create "testuser" user and set password 2. Configure "testuser" user in sudoers to be able to sudo without password: --- testuser ALL=(ALL) NOPASSWD: ALL --- 3. Congiure pam.d/sudo to verify the account based on group membership, for example Comment out : "#account include system-auth" and replace with: --- account sufficient pam_wheel.so trust group=users debug --- 4. Added the below line on /etc/pam.d/su --- account sufficient pam_wheel.so trust group=users debug --- 4. Add user to users group: usermod -G users testuser 5. Ssh into the machine as "testuser" and issue "sudo su" or any "sudo <command>" and verify you can elevate successfully Evidences: RHEL 8.8 ~~~ PAM Config [testuser@winbind ~]$ cat /etc/pam.d/sudo #%PAM-1.0 #auth include system-auth account sufficient pam_wheel.so trust group=users debug account include system-auth password include system-auth session include system-auth [testuser@winbind ~]$ cat /etc/pam.d/su #%PAM-1.0 auth required pam_env.so auth sufficient pam_rootok.so account sufficient pam_wheel.so trust group=users debug Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so Secure logs Nov 14 13:37:44 winbind sshd[12902]: Accepted password for testuser from 192.168.122.1 port 37124 ssh2 Nov 14 13:37:44 winbind sshd[12902]: pam_unix(sshd:session): session opened for user testuser by (uid=0) Nov 14 13:38:01 winbind sudo[12957]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser' Nov 14 13:38:01 winbind sudo[12957]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su Nov 14 13:38:01 winbind sudo[12957]: pam_unix(sudo:session): session opened for user root by testuser(uid=0) Nov 14 13:38:01 winbind su[12958]: pam_wheel(su:account): Access granted to 'testuser' for 'root' Nov 14 13:38:01 winbind su[12958]: pam_unix(su:session): session opened for user root by testuser(uid=0) ssh from an external terminal Nov 14 13:42:46 winbind sshd[13443]: Accepted password for testuser from 192.168.122.1 port 52170 ssh2 Nov 14 13:42:46 winbind systemd[13449]: pam_unix(systemd-user:session): session opened for user testuser by (uid=0) Nov 14 13:42:46 winbind sshd[13443]: pam_unix(sshd:session): session opened for user testuser by (uid=0) Nov 14 13:42:46 winbind sudo[13482]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser' Nov 14 13:42:46 winbind sudo[13482]: testuser : TTY=unknown ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su Nov 14 13:42:46 winbind sudo[13482]: pam_unix(sudo:session): session opened for user root by (uid=0) Nov 14 13:42:46 winbind su[13513]: pam_wheel(su:account): Access granted to 'testuser' for 'root' Nov 14 13:42:46 winbind su[13513]: pam_unix(su:session): session opened for user root by (uid=0) ~~~ RHEL 9.3 ~~~ PAM Config [testuser@rhel91 ~]$ cat /etc/pam.d/sudo #%PAM-1.0 #auth include system-auth account sufficient pam_wheel.so trust group=users debug account include system-auth password include system-auth session include system-auth [testuser@rhel91 ~]$ cat /etc/pam.d/su #%PAM-1.0 auth required pam_env.so auth sufficient pam_rootok.so account sufficient pam_wheel.so trust group=users debug Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so Secure logs Nov 14 13:37:44 rhel91 sshd[9950]: Accepted password for testuser from 192.168.122.1 port 48546 ssh2 Nov 14 13:37:44 rhel91 sshd[9950]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0) Nov 14 13:38:01 rhel91 sudo[9998]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser' Nov 14 13:38:01 rhel91 sudo[9998]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su Nov 14 13:38:01 rhel91 sudo[9998]: pam_unix(sudo:session): session opened for user root(uid=0) by testuser(uid=1001) Nov 14 13:38:01 rhel91 su[9999]: pam_wheel(su:account): Access granted to 'testuser' for 'root' Nov 14 13:38:01 rhel91 su[9999]: pam_unix(su:session): session opened for user root(uid=0) by testuser(uid=0) ssh from an external terminal Nov 14 13:42:46 rhel91 sshd[10340]: Accepted password for testuser from 192.168.122.1 port 53194 ssh2 Nov 14 13:42:46 rhel91 systemd[10346]: pam_unix(systemd-user:session): session opened for user testuser(uid=1001) by (uid=0) Nov 14 13:42:46 rhel91 sshd[10340]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0) Nov 14 13:42:46 rhel91 sudo[10381]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser' Nov 14 13:42:46 rhel91 sudo[10381]: testuser : PWD=/home/testuser ; USER=root ; COMMAND=/bin/su Nov 14 13:42:46 rhel91 sudo[10381]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1001) Nov 14 13:42:46 rhel91 su[10406]: pam_wheel(su:account): Access denied to 'root' for 'root' ----> pam_wheel is not picking up the original UID like in RHEL8.8 and it's recognising the user as root, it is then denying access. Nov 14 13:42:46 rhel91 su[10406]: pam_unix(su:session): session opened for user root(uid=0) by (uid=0) ~~~ The issue is reproduced only when we ssh from an external machine, even when the message said it is denied, the sudo su worked. i.e: external host: ssh testuser@machine "sudo su" Customer words: Ultimately, the situation is that rules that use pam_wheel and are supposed to authorise and deny the user based on the original UID are not working. This is arguably worse than what was happening before 1.3.1-14.el8 where at least it was failing and denying access while now it's wrongly assigning root identity as the original UID, granting access to users who should be denied.
Done-Errata
Red Hat Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.