graphical root login no longer allowed after update from KDE 4.5.0 to KDE 4.5.1

Hello everybody,

after updating my KDE 4.5.0 to KDE 4.5.1 (on openSUSE 11.3) the KDM no longer allows to login graphically as root. But to login as user and doing administrative stuff via kdesu/su/sudo + root password is possible. I know that it is a security risk to fully login as root but sometimes it more convient to login once instead of starting every single action with su etc + password. I searched in Yast and also in the KDE systemsettings for an option to switch off this behaviour but I didn`t find any. Via Google I font the hint to set the variable AllowRootLogin=false to AllowRootLogin=true in the file kdmrc. Since I didn’t know which kdmrc is the right one, I changed the variable in all versions I found:

/usr/share/kde4/config/kdm/kdmrc
/usr/share/kde4/config/kdm/kdmrc.rpmnew
/var/adm/kdm/kdmrc.sysconfig

Nevertheless these changes are ignored and in /var/adm/kdm/kdmrc.sysconfig AllowRootLogin=true is automatically set back to AllowRootLogin=false.

What do I have to get back the old behaviour?

Thanks in advance
Jörn Behre

jbehre wrote:
> I know that it is a security risk to fully login as root

it is more than just a security risk, you should never log into
KDE/Gnome/XFCE or any other *nix-like graphical user interface desktop
environment as root…

doing so 1) opens you up to several different security problems, 2)
too many too easy ways to damage your system no matter how careful
your actions (example: just browsing in your home directory while
logged into KDE/Gnome/etc as root can lock you out later as yourself
due to permissions damage), 3) and, anyway logging into KDE/etc as
root is never required to do any and all administrative duties…

so, always log in as yourself, and “become root” by using a root
powered application (like YaST, File Manager Superuser Mode) or using
“su -”, sudo, kdesu, or gnomesu in a terminal to launch whatever tool
is needed (like Kwrite to edit a config file)…read more on all that
here:

http://en.opensuse.org/SDB:Login_as_root
http://docs.kde.org/stable/en/kdebase-runtime/userguide/root.html
http://tinyurl.com/ydbwssh
http://tinyurl.com/6ry6yd

> but sometimes it more convient to login once instead of starting every
> single action with su etc + password.

yes, there are lots of things in life which are more convenient if
done the wrong, more dangerous and/or less secure way…

like, it is easier to walk across the railroad tracks than to use the
pedestrian bridge over (or tunnel under) them…but !!

my opinion is: you are lucky that since the update you can no longer
easily do it wrong.

–
DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

I second DenverD, but I will use less words on it (he has his way of telling things and I have mine).

It is unneeded and stupid to log in as root. Triple so in a GUI. The first link in DenverD’s post tells you how to do things as root.

On all my former linux installations it was working to login as root and i crashed NONE of them by doing so!!
And to switch off this feature does NOT prevent me for killing my system. IF I want to do this, I can still login as user, open shell type in su + root password, and then rm -rf /
and everything would be dead !!
But since I’m a free man, I’m also free to do stupid things (IF I want to).
And therefore I want to have back the possibility to run KDE as root, independent of what security risk that represents.
If you want to remove everthing from this planet that can be misused, nothing would be left.
During the update from KDE 4.5.0 to KDE 4.5.1 somewhere an option was changed.
Is there anybody who wants to tell me, how to change that back?

Jörn Behre

hcvv wrote:
> (he has his way of telling things and I have mine).

heh! i’m afraid to use the word “stupid” as most already think i’m too
gruff…

–
DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

That is all nice and clear, but as for helping we often have to replay what you did to get any idea about what the problem is. And I refuse to do these things you do, thus I can not be of any help if you do not follow my advice given above. Also, with your habit, it is quite clear that anything can have happened to your system and even when you think the update did it, it could be quite a different thing hidden in the darkness of root misbehaviour.

jbehre wrote:
> But since I’m a free man, I’m also free to do stupid things (IF I want
> to).

i have no idea why you can no longer do the stupid things you want to
do, but if you really really want to do some more, just keep searching
until you find out how…

btw, sometimes logging in as root slightly changes small system
attributes so that things that used to work, no longer do…

so, maybe by logging in as root you caused exactly this ‘problem’ of
not being able to log in as root…

and the only way i know to correct it is to begin again…enjoy your
freedom to do it as you wish, but don’t expect competent help from
folks who also routinely log in as root–because they are as mystified
as you!

–
DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

to: jbehre

All you have to do is select another display manager: in /etc/sysconfig/displaymanager, change
DISPLAYMANAGER=“kdm”
to
DISPLAYMANAGER=“xdm”
or “gdm” or “lxdm” or something else you happen to have installed

to: all the others who did not ANSWER the original question:

It is MY PC and if I want to do something with it, even if somebody else think that’s stupid, I will still want to do it.
And since the Linux is all about freedom of choice, I choose to work on MY computer(s) as ROOT, as I have been doing for past 15 years (and never had any problems just because I was root).

Синиша Бандин

You are certainly welcome to mess up your machine any way you want. But Logging into a GUI as root will hasten the problems. No one is stopping you. But when you do mess things up. You should at least understand what you did to mess it up and have a clue about how to repair it.

On 2010-09-11 16:06, jbehre wrote:
>
> Hello everybody,
>
> after updating my KDE 4.5.0 to KDE 4.5.1 (on openSUSE 11.3) the KDM no
> longer allows to login graphically as root. But to login as user and
> doing administrative stuff via kdesu/su/sudo + root password is
> possible. I know that it is a security risk to fully login as root but
> sometimes it more convient to login once instead of starting every
> single action with su etc + password.

I simply start an xterm, do “su -”, and then I start any root commands from there. The xterm will
not close till I say so, thus I can run as many commands as I need, as root (text or graphical).
Just remember to type an “&” after each graphical command.

> I searched in Yast and also in the
> KDE systemsettings for an option to switch off this behaviour but I
> didn`t find any. Via Google I font the hint to set the variable
> AllowRootLogin=false to AllowRootLogin=true in the file kdmrc. Since
> I didn’t know which kdmrc is the right one, I changed the variable in
> all versions I found:
>
> /usr/share/kde4/config/kdm/kdmrc
> /usr/share/kde4/config/kdm/kdmrc.rpmnew

The second one is the new configuration proposed by the update. It is not active. The first one is
the active one.

Hint: Run “rcrpmconfigcheck” after any update, on a terminal (xterm, konsole, whatever). It will
list all those changed/replaced/need attention configuration files after the update, a list you
should review one by one. Manually.

If a config has changed, it should be listed there. If the update has changed some default setting,
then you will not see it.

> /var/adm/kdm/kdmrc.sysconfig

This one do not touch, it is not a config, but a backup of some sort. I can’t say exactly as I don’t
have kde in this system.

> Nevertheless these changes are ignored and in
> /var/adm/kdm/kdmrc.sysconfig AllowRootLogin=true is automatically set
> back to AllowRootLogin=false.

Have a look in the directory “/etc/sysconfig/”, it could be there.

> What do I have to get back the old behaviour?

I suggest you have a look at log files.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))

On 2010-09-12 02:06, gogalthorp wrote:
>
> You are certainly welcome to mess up your machine any way you want. But
> Logging into a GUI as root will hasten the problems. No one is stopping
> you. But when you do mess things up. You should at least understand
> what you did to mess it up and have a clue about how to repair it.

If he has been doing that for 15 years, he is not a novice and knows the risks. His problem was not
his fault, it was caused by an update.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))

siny wrote:
> It is MY PC and if I want to do something with it, even if somebody
> else think that’s stupid, I will still want to do it.

you are, of course, welcome to do that…as far as i know no one here
is trying to take away your right to do whatever damage you wish to do
to your property…

but, if/when you have trouble doing what you want to do, you need to
then find someone with the experience of running as you do to have a
chance to know what might have happened…

there are so many variations of what might have been clobbered i
won’t take my time to try to help one recover from their own
persistent stupidity (and many others here take the same view)…

on the other hand, if you were to put together a interactive group of
folks who like to run as root, no matter the problems, that would be a
great idea as then you all would know how to help each other solve
permission problems, root kits, myriad little unexplainable problems
and etc…

–
DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

How could we? It is not realy a not wanting, but it is in an area we never reach.

The only thing we did was giving advice to somebody who we thought was innocent and unknowing. It is only after we gave our advice that he started telling he was a suicidal person (in his computer live) by his own free will. He may throw is system out of the window. But I can then not answer him when he comes here to ask how to get it running again.

First of all thanks to all, who really try to answer my question.
What made me huffy, is that although I wrote in the first post of this thread that I KNOW that logging in as root is a security risk, i got lots of “good advices” telling me what I know already, namely that this is a security risk and that I should be lucky that my update closed this security leck and so on and so on.
And just because I insisted to do something risky I’m now called a SUICIDAL PERSON!!! That’s NOT FAIR!
Why do you deny me to be responsible? I’m maybe not a linux expert but I’m a chemist by training and I know to treat dangerous things! Would you like it if I would call you suicidal just because you have probably a sharp and big knife for cooking in your kitchen that can of course also be misused ?

On 2010-09-12 10:36, hcvv wrote:
>
> siny;2221039 Wrote:
>>
>> to: all the others who did not ANSWER the original question:

> How could we? It is not realy a not wanting, but it is in an area we
> never reach.
>
> The only thing we did was giving advice to somebody who we thought was
> innocent and unknowing. It is only after we gave our advice that he
> started telling he was a suicidal person (in his computer live) by his
> own free will. He may throw is system out of the window. But I can then
> not answer him when he comes here to ask how to get it running again.

Hey people, calm down…

First, by simply login as root into a GUI does not risk a system. By using programs, and depending
on what you do, you might.

Second, by login as “user” and then doing “su” to root, you do risk wrecking your system >:-)

WHAAAAAT!?

X’-)

Yes, it is true. I explain: the environment is partially that of the calling user. Some programs,
running as root will save files to the home environment of that user, with root ownership, and the
same name as some critical user files. When the user comes back (another day) and tries to log into
kde (or gnome), he can’t… some of these problems have been solved (as bugs), some may not.

Which is why I always say: use “su -”, the dash is critical.

So, please, calm down. Don’t go up into smoke as soon as someone mentions “login as root”
It doesn’t mean immediate disaster. A novice user can wreck his system in many ways, be it “su-ing”
or “log-in”. In more ways by log-in, surely.

I would consider using konqueror or dolphin as root (su-ing or whatever) as a recipe for disaster
sooner or later. I don’t tell people this, but I do tell them to use “mc” instead.

Don’t go into flames - kindness is more effective

Encourage novices to not log in as root, yes, but don’t go into flames as soon as you hear that.
Don’t call people “words”

It is possible that the person involved knows what he is doing. Maybe he has many years of
experience, more than us. It is possible that the problem reported is not caused by that behaviour -
as in the current case, it seems that the update caused it. It is probably an intentional (or not)
change by developers.

–
Cheers / Saludos,

Carlos E. R.
(Using SuSE since 5.2, in 1998)

I solved the problem. I used this sunday to dig into linux depths and I guess I found the mistake now. First I followed Carlos’ hint:

> /usr/share/kde4/config/kdm/kdmrc
> /usr/share/kde4/config/kdm/kdmrc.rpmnew

The second one is the new configuration proposed by the update. It is not active. The first one is the active one.

Hint: Run “rcrpmconfigcheck” after any update, on a terminal (xterm, konsole, whatever). It will list all those changed/replaced/need attention configuration files after the update, a list you should review one by one. Manually.

rcrpmconfigcheck listed /usr/share/kde4/config/kdm/kdmrc.rpmnew as a file to pay attention to and since Carlos meant that this is the new configuration proposed by the update which is not active I decided to replace /usr/share/kde4/config/kdm/kdmrc with /usr/share/kde4/config/kdm/kdmrc.rpmnew (after making backups, of course). This change had no negative and no positve results, just that the new file gives many more options.
So I went on searching to find out why /var/adm/kdm/kdmrc.sysconfig is always set back to its old values and I found the script
/usr/share/kde4/apps/kdm/read_sysconfig.sh
that is parsing the files /etc/sysconfig/displaymanager , /etc/sysconfig/security and /etc/sysconfig/language (see code below).
This script sets the variable AllowRootLogin depending on the variable $DISPLAYMANAGER_ROOT_LOGIN_LOCAL in /etc/sysconfig/displaymanager , /etc/sysconfig/security or /etc/sysconfig/language . But this variable was not existing. After adding

## Type:    yesno
## Default:    no
#
# Allow local access of the user root to your display manager.
#
DISPLAYMANAGER_ROOT_LOGIN_LOCAL="yes"

to /etc/sysconfig/displaymanager I can again login graphically as root. Additionally I changed the option HiddenUsers= in /usr/share/kde4/config/kdm/kdmrc to HiddenUsers=root .
Now root is working again but not displayed at the login screen.

So special thanks to Carlos.

Joern Behre

Code of /usr/share/kde4/apps/kdm/read_sysconfig.sh :

#!/bin/bash
#
# Copyright (c) 2006 SUSE Linux Products GmbH Nuernberg, Germany.
#
# Author: Stephan Kulow   <coolo@suse.de>
#

#
# check if we are started as root
# only one of UID and USER must be set correctly
#
if test "$UID" != 0 -a "$USER" != root; then
    echo "You must be root to start $0."
    exit 1
fi

#
# check for sysconfig/displaymanager or rc.config
#
test -f /etc/sysconfig/displaymanager && source /etc/sysconfig/displaymanager
test -f /etc/sysconfig/security       && source /etc/sysconfig/security
test -f /etc/sysconfig/language       && source /etc/sysconfig/language

#
# source /etc/profile to get $kdedir
#
kdedir="/usr"
kdmdir="/var/adm/kdm"

# check for write permissions
 -w ${kdmdir} ] || mkdir -p ${kdmdir}
 -w ${kdmdir} ] || exit

#
# Set Style of Shutdown
#
ECHO_MODE="OneStar"
if test "$DISPLAYMANAGER_ROOT_LOGIN_LOCAL" = "yes"; then
    ALLOW_ROOT_LOGIN="true"
else
    ALLOW_ROOT_LOGIN="false"
fi

case "$DISPLAYMANAGER_SHUTDOWN" in
    all|ALL|All)
         DISPLAYMANAGER_SHUTDOWN=All;;
    none|NONE|None)
         DISPLAYMANAGER_SHUTDOWN=None;;
    auto|Auto|AUTO)
      case "$PERMISSION_SECURITY" in
    *easy*)
         DISPLAYMANAGER_SHUTDOWN=All
             ;;
        *paranoid*)
             ECHO_MODE="NoEcho"
             ALLOW_ROOT_LOGIN="false"
         DISPLAYMANAGER_SHUTDOWN=Root
             ;;
    *)
         DISPLAYMANAGER_SHUTDOWN=Root
         ;;
      esac
      ;;
    * )
        DISPLAYMANAGER_SHUTDOWN=Root;;
esac

(
echo "[X-*-Greeter]"
if  -n "$KDM_USERS" ]; then
  echo "ShowUsers=Selected"
  echo -n "SelectedUsers="
  echo ${KDM_USERS}|sed -e 's@  ]*@ @g' -e 's@ @,@g'
else
  echo "ShowUsers=NotHidden"
fi
if  "$DISPLAYMANAGER_AD_INTEGRATION" = "yes" ]; then
  echo "PluginsLogin=winbind"
else
  if  "$(/usr/sbin/pam-config -q --fp)" = "auth:" ]; then
    echo "PluginsLogin=generic"
  fi
fi
if  -n "$DISPLAYMANAGER_KDM_THEME" -a -d "/usr/share/kde4/apps/kdm/themes/$DISPLAYMANAGER_KDM_THEME" ]; then
  echo "Theme=/usr/share/kde4/apps/kdm/themes/$DISPLAYMANAGER_KDM_THEME"
  echo "UseTheme=true"
  echo "UseBackground=false"
else
  echo "UseTheme=false"
  echo "UseBackground=true"
fi
# kdm has en_US as default instead of simply reading LC_LANG :(
echo "Language="

echo "[Xdmcp]"
if  "$DISPLAYMANAGER_REMOTE_ACCESS" = "yes" ]; then
  echo "Enable=true"
else
  echo "Enable=false"
fi

echo "[X-:0-Core]"
if  "$DISPLAYMANAGER_AUTOLOGIN" ]; then
  echo "AutoLoginEnable=true"
  echo "AutoLoginUser=${DISPLAYMANAGER_AUTOLOGIN}"
else
  echo "AutoLoginEnable=false"
fi
if  "$DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN" = "yes" ]; then
  echo "ServerArgsLocal=${DISPLAYMANAGER_KDM_LOCALARGS}"
else
  echo "ServerArgsLocal=-nolisten tcp ${DISPLAYMANAGER_KDM_LOCALARGS}"
fi
if  "$DISPLAYMANAGER_PASSWORD_LESS_LOGIN" = "yes" ]; then
   echo "NoPassEnable=true"
   echo "NoPassAllUsers=true"
else
   echo "NoPassEnable=false"
   echo "NoPassAllUsers=false"
fi

echo "[X-:*-Core]"
echo "AllowShutdown=${DISPLAYMANAGER_SHUTDOWN}"
echo "AllowRootLogin=${ALLOW_ROOT_LOGIN}"
echo "AllowNullPasswd=${ALLOW_ROOT_LOGIN}"

echo "[X-*-Core]"

if test "$DISPLAYMANAGER_ROOT_LOGIN_REMOTE" = "yes"; then
    echo "AllowRootLogin=true"
else
    echo "AllowRootLogin=false"
fi

case "x$DISPLAYMANAGER_XSERVER" in
   xXgl)
    xgl=`type -p Xgl`
    echo "ServerCmd=$xgl $DISPLAYMANAGER_XGL_OPTS -br"
        echo "ServerTimeout=50"
        ;;
   xXorg)
        xorg=`type -p Xorg`
    echo "ServerCmd=$xorg -br"
    ;;
   x)
        # empty value - younger than 11.0
        echo "ServerCmd=/usr/bin/X -br"
        ;;
   *)
    echo "#Unknown X server - leaving X"
    ;;
esac

echo "[General]"
if  "$DISPLAYMANAGER_STARTS_XSERVER" != "yes" ]; then
  echo "StaticServers="
fi

) > ${kdmdir}/kdmrc.sysconfig

did you log the bug against update which caused the problem?

because i’m rather sure none of us, nor the developers intended to
deprive you of the right to operate as you wish…

–
DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

On 2010-09-12 19:22, DenverD wrote:
> did you log the bug against update which caused the problem?
>
> because i’m rather sure none of us, nor the developers intended to
> deprive you of the right to operate as you wish…

My guess is that some setting has changed default. Perhaps by looking at the changelog of the
updated packages :-?

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))

On 2010-09-13 16:26, jbehre wrote:
>
> I solved the problem. I used this sunday to dig into linux depths and I
> guess I found the mistake now. First I followed Carlos’ hint:
>>
>>> /usr/share/kde4/config/kdm/kdmrc
>>> /usr/share/kde4/config/kdm/kdmrc.rpmnew
>>
>> The second one is the new configuration proposed by the update. It is
>> not active. The first one is the active one.
>>
>> Hint: Run “rcrpmconfigcheck” after any update, on a terminal (xterm,
>> konsole, whatever). It will list all those changed/replaced/need
>> attention configuration files after the update, a list you should review
>> one by one. Manually.
>>
>
> rcrpmconfigcheck listed /usr/share/kde4/config/kdm/kdmrc.rpmnew as a
> file to pay attention to and since Carlos meant that this is the new
> configuration proposed by the update which is not active I decided to
> replace /usr/share/kde4/config/kdm/kdmrc with
> /usr/share/kde4/config/kdm/kdmrc.rpmnew (after making backups, of
> course). This change had no negative and no positve results, just that
> the new file gives many more options.

I like to compare such files. I use the line:

diff --side-by-side --suppress-common-lines --ignore-all-space
active_config_file new_or_old_config_file

to see what has changed.

Many people do not know this, that after an update or upgrade such files are created, and that
manual action may be required. That script runs on eery boot, but as almost everybody hides booting
messages behind the flash screen, it is not noticed.

> So I went on searching to find out why /var/adm/kdm/kdmrc.sysconfig
> is always set back to its old values and I found the script
> /usr/share/kde4/apps/kdm/read_sysconfig.sh
> that is parsing the files /etc/sysconfig/displaymanager ,
> /etc/sysconfig/security and /etc/sysconfig/language (see code below).

Good tracking.

> This script sets the variable AllowRootLogin depending on the
> variable $DISPLAYMANAGER_ROOT_LOGIN_LOCAL in
> /etc/sysconfig/displaymanager , /etc/sysconfig/security or
> /etc/sysconfig/language . But this variable was not existing.

Ah!!!

> After adding
>
> Code:
> --------------------
>
> ## Type: yesno
> ## Default: no
> #
> # Allow local access of the user root to your display manager.
> #
> DISPLAYMANAGER_ROOT_LOGIN_LOCAL=“yes”
>
> --------------------
>
> to /etc/sysconfig/displaymanager I can again login graphically as
> root.

Ah!!!

You know, I searched for such a variable. I had found the one for remote login, and I had the fuzzy
recolection that there was a similar one for local root login. But not finding it in sysconfig, I
said nothing, I though my memory was wrong.

Wow!

So that’s the bug.

(I’m almost sure that the variable was present on some older distro… :-? )

> Additionally I changed the option HiddenUsers= in
> /usr/share/kde4/config/kdm/kdmrc to HiddenUsers=root .

Interesting.

Now I have to find the equivalent variable for gdm, I want to hide some users there

> Now root is working again but not displayed at the login screen.

Good for you!

>
> So special thanks to Carlos.

Welcome! O:-)

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))

Thank you very much for this discovery.

I was really looking forward to something like this, but did not have time to investigate (and now I don’t have to), and I really don’t like that XDM login screen

Синиша Бандин