Skip to main content

SELinux - timeout in locking authority file .Xauthority

· 3 min read
Sławomir Cichy
Sławomir Cichy
Backend Engineer @ Sci Software

It may happen that after logging in ssh -X we will get the message:

Last login: Thu Mar 24 21:41:30 2016 from 10.99.0.2
/usr/bin/xauth:  timeout in locking authority file /opt/ibpmusers/scichy/.Xauthority

And setting the DISPLAY environment variable correctly doesn't work for us.

Assumption

In our case, the main directory with users' home directories is not the default (/home) but /opt/ibpmusers.

To verify the problem, after logging in, issue the command strace xauth list. In response, we may get:

[scichy@localdevdb ~]$ strace xauth list
 #...
 open("/opt/ibpmusers/scichy/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
 rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
 nanosleep({2, 0}, 0x7fff78965d20)       = 0
 write(2, "xauth:  timeout in locking autho"..., 76xauth:  timeout in locking authority file /opt/ibpmusers/scichy/.Xauthority
 ) = 76
 exit_group(1)

We can ask ourselves: Permission denied? But how? After all, it's my home directory, everything is mine... But that's not true. The SELinux mechanism (Security-Enhanced Linux (SELinux for short) - a set of Linux modifications and a way of allocating resources for applications) may be responsible for managing permissions. We check if SELinux is enabled to make sure we're right:

[scichy@localdevdb ~]$ egrep -e '^SELINUX=' /etc/selinux/config
SELINUX=enforcing

SELinux is enabled, so it is actually responsible for assigning permissions to applications. We go to the directory where our main directory is (/opt/ibpmusers) and check what the permissions are on the user directories:

[scichy@localdevdb ~]$ cd /opt
[scichy@localdevdb opt]$ ls -aslZ ibpmusers/
razem 28
drwxrwxrwx. root        root       unconfined_u:object_r:home_root_t:s0 .
drwxr-xr-x. root        root       system_u:object_r:home_root_t:s0 ..
drwxr-xr-x. ttesteusz   developers unconfined_u:object_r:home_root_t:s0 ttesteusz
drwxr-xr-x. ldeveloper  developers unconfined_u:object_r:home_root_t:s0 ldeveloper
drwxr-xr-x. scichy      developers unconfined_u:object_r:home_root_t:s0 scichy

We can see that the permissions are incorrect: unconfined_u:object_r:home_root_t:s0 and they should be unconfined_u:object_r:user_home_dir_t:s0. As the privileged user root we need to change it with the command chcon:

[root@localdevdb opt]# chcon -u unconfined_u -t user_home_dir_t -r object_r /opt/ibpmusers/*
This doesn't work

Someone wrote that you need to run the command restorecon /opt/ibpmusers/*, but it didn't give the expected effect (the permissions were changed, but not to what they should be):

[root@devdb2 opt]# restorecon /opt/ibpmusers/*
[root@devdb2 opt]# ls -aslZ ibpmusers
razem 28
drwxrwxrwx. root        root       unconfined_u:object_r:usr_t:s0   .
drwxr-xr-x. root        root       system_u:object_r:home_root_t:s0 ..
drwxr-xr-x. ttesteusz   developers unconfined_u:object_r:usr_t:s0   ttesteusz
drwxr-xr-x. ldeveloper  developers unconfined_u:object_r:usr_t:s0   ldeveloper
drwxr-xr-x. scichy      developers unconfined_u:object_r:usr_t:s0   scichy

Type must be user_home_dir_t and not usr_t.

Now everything should work. If it still doesn't work, run strace xauth list again and check what's wrong - follow the instructions that you get on the screen.