| View previous topic :: View next topic |
| Author |
Message |
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
 Posted: Thu Mar 29, 2018 3:38 pm Post subject: .Xscreensaver does not accept password |
 |
|
Hi all,
Seems this is a rare problem, but I've found some other, much older posts with similar issues.Most of the solutions didn't work/apply. This is the 3rd machine I've set up recently with Gentoo, and the other two (last I checked) are working normally with default configs/use flags. However, on this one I had to build xscreensaver without pam support which has resolved the issue for now. Is this in any way suboptimal for local security? It certainly does not seem ideal for new users who generally expect things to work out of the box.
With that, I was hoping somebody might be able to provide some insight on other things I can look at, since this is a fresh install presumably configured identically to the other machines I've done Perhaps I overlooked something in my configs, or I've found a bug and should report? If the later, how to narrow down where the bug lies (in pam, xscreensaver, something else)?
Any guidance is appreciated!
Cheers.
Last edited by statikregimen on Sat Jul 14, 2018 12:24 am; edited 3 times in total |
|
| Back to top |
|
 |
JWJones
n00b
Joined: 11 Jan 2015
Posts: 19
Location: Oregon
|
| Posted: Fri Mar 30, 2018 2:18 am Post subject: |
|
|
I've had this happen to me before, too. I was unable to resolve it (PAM was not involved, however, as I recall), so I simply gave up on xscreensaver altogether and went minimal with slock for screen locking, avoiding screensavers.
Sorry, but I don't really remember any specifics beyond that. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Fri Mar 30, 2018 4:03 am Post subject: |
|
|
| What does xscreensaver log when the unlock fails? I have seen this when it is configured to use PAM and it is unable to load PAM. I have also seen this when it is run with the no-new-privs restriction set, since it needs a privileged helper to verify the password. |
|
| Back to top |
|
|
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
| Posted: Fri Mar 30, 2018 1:35 pm Post subject: |
|
|
| Hu wrote: | | What does xscreensaver log when the unlock fails? I have seen this when it is configured to use PAM and it is unable to load PAM. I have also seen this when it is run with the no-new-privs restriction set, since it needs a privileged helper to verify the password. |
Sorry, I forgot to include that!
I'm not sure where the xscreensaver logs are? But I get a lot of this kind of stuff in /var/log/auth.log :
| Code: | Mar 26 17:09:05 anony-mouse xscreensaver: pam_unix(xscreensaver:auth): conversation failed
Mar 26 17:09:05 anony-mouse xscreensaver: pam_unix(xscreensaver:auth): auth could not identify password for [statik]
Mar 27 09:13:38 anony-mouse unix_chkpwd[19858]: check pass; user unknown
Mar 27 09:13:42 anony-mouse unix_chkpwd[19898]: check pass; user unknown
Mar 27 09:13:42 anony-mouse unix_chkpwd[19898]: password check failed for user (statik)
Mar 27 09:13:42 anony-mouse xscreensaver: pam_unix(xscreensaver:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=statik
Mar 27 09:13:44 anony-mouse xscreensaver[3229]: FAILED LOGIN 1 ON DISPLAY ":0", FOR "statik"
Mar 27 09:13:45 anony-mouse unix_chkpwd[19933]: check pass; user unknown
Mar 27 09:13:48 anony-mouse unix_chkpwd[19964]: check pass; user unknown
Mar 27 09:13:48 anony-mouse unix_chkpwd[19964]: password check failed for user (statik) |
Seems I only got that "conversation failed" message once...Then after that, it's just a bunch of the others in no apparent pattern.
| JWJones wrote: | I've had this happen to me before, too. I was unable to resolve it (PAM was not involved, however, as I recall), so I simply gave up on xscreensaver altogether and went minimal with slock for screen locking, avoiding screensavers.
Sorry, but I don't really remember any specifics beyond that. |
Not sure what you mean by "minimal with stock"? I use xscreensaver for timed locking. I'm a pretty unpredictable person, and will often times impulsively walk away from my computer, forgetting to lock it. Not much worse than coming back to it w/ a pron tab front and center and wondering who's seen it! |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Sat Mar 31, 2018 12:17 am Post subject: |
|
|
| statikregimen wrote: | | JWJones wrote: | | I simply gave up on xscreensaver altogether and went minimal with slock |
Not sure what you mean by "minimal with stock"? |
Clean your monitor (or, if applicable, your glasses) and/or check your font. He said slock, an alternate screen locking program, not stock. 
You should be able to use xscreensaver for locking. What is the output of ls -l /sbin/unix_chkpwd? It should be mode 4711. Are you running xscreensaver under setpriv --nnp or equivalent? If yes, don't. |
|
| Back to top |
|
|
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
| Posted: Sat Mar 31, 2018 1:53 am Post subject: |
|
|
| Hu wrote: | | statikregimen wrote: | | JWJones wrote: | | I simply gave up on xscreensaver altogether and went minimal with slock |
Not sure what you mean by "minimal with stock"? |
Clean your monitor (or, if applicable, your glasses) and/or check your font. He said slock, an alternate screen locking program, not stock.
You should be able to use xscreensaver for locking. What is the output of ls -l /sbin/unix_chkpwd? It should be mode 4711. Are you running xscreensaver under setpriv --nnp or equivalent? If yes, don't. |
lmao...derp. Totally misread.
Here is the output of the command you requested:
| Code: | -rwx--x--x 1 root root 31184 Mar 22 15:25 /sbin/unix_chkpwd
|
I believe that to be 0711... I will not have local access to the machine until Monday. So I'll try adjusting to 4711.
I am running xscreensaver via ~/.xsession thusly:
| Code: | | xscreensaver -no-splash & |
Also, fwiw, I'm running XDM+Qtile on all my machines, and again, only 1 of 3 has the issue so far. I was able to test my others tonight, and they continue to work fine. |
|
| Back to top |
|
|
JWJones
n00b
Joined: 11 Jan 2015
Posts: 19
Location: Oregon
|
| Posted: Sat Mar 31, 2018 12:25 pm Post subject: |
|
|
Yes, slock, not stock, which can be started after a specific period of user inactivity using xautolock. More info here:
https://tools.suckless.org/slock/ |
|
| Back to top |
|
|
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
| Posted: Mon Apr 02, 2018 3:14 pm Post subject: |
|
|
Thanks, JWJones - I'll definitely switch to sLock for my mobile machines where eye candy is not useful 
Also, just finished setting up another machine. It is also having the same issue. It occurred to me that my working systems have not been updated in several days (i.e. since before these 2 new installs) So I'll update those, and see if the problem appears. If so, I'd say that's a strong indicator of a bug somewhere, rather than anything I'm doing wrong (but pro-tip: it's probably me lol).
Cheers |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Tue Apr 03, 2018 1:53 am Post subject: |
|
|
| statikregimen wrote: | | I believe that to be 0711... I will not have local access to the machine until Monday. So I'll try adjusting to 4711. |
You interpret that output correctly. Monday has arrived. Was fixing this sufficient? |
|
| Back to top |
|
|
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
| Posted: Tue Apr 03, 2018 1:30 pm Post subject: |
|
|
| Hu wrote: | | statikregimen wrote: | | I believe that to be 0711... I will not have local access to the machine until Monday. So I'll try adjusting to 4711. |
You interpret that output correctly. Monday has arrived. Was fixing this sufficient? |
Sorry! Completely forgot to try this.
I've set the permissions as prescribed, and rebuilt xscreensaver w/ pam support again. Lo and behold, it worked!
So I guess now the question is, why was that file set incorrectly? I'm 99% sure I extracted the stage3 with the proper command provided in the handbook:
| Code: | | tar xpf stage3-*.tar.{bz2,xz} --xattrs-include='*.*' --numeric-owner |
But not even really sure when that file would come into play or where it comes from...
Going to give this same thing a try on the latest machine I set up.
Thanks!
EDIT: Seems to have done the trick on the other machine as well. So problem solved on my end. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Wed Apr 04, 2018 2:14 am Post subject: |
|
|
| According to equery belongs, that file is owned by sys-libs/pam. On an affected machine, what is the output of cat -n /var/db/pkg/sys-libs/pam-*/FEATURES? What version of pam is in use? What is the output of emerge --info? |
|
| Back to top |
|
|
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
| Posted: Wed Apr 04, 2018 3:24 am Post subject: |
|
|
| Hu wrote: | | According to equery belongs, that file is owned by sys-libs/pam. On an affected machine, what is the output of cat -n /var/db/pkg/sys-libs/pam-*/FEATURES? What version of pam is in use? What is the output of emerge --info? |
| Code: | $ cat -n /var/db/pkg/sys-libs/pam-*/FEATURES
1 assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr |
| Code: |
* sys-libs/pam
Latest version available: 1.2.1-r2
Latest version installed: 1.2.1-r2
Size of files: 1,729 KiB
Homepage: http://www.linux-pam.org/
Description: Linux-PAM (Pluggable Authentication Modules)
License: || ( BSD GPL-2 ) |
| Code: | $ emerge --info
Portage 2.3.24 (python 3.5.4-final-0, default/linux/amd64/17.0/desktop, gcc-6.4.0, glibc-2.25-r11, 4.15.14 x86_64)
=================================================================
System uname: Linux-4.15.14-x86_64-AMD_A12-9720P_RADEON_R7,_12_COMPUTE_CORES_4C+8G-with-gentoo-2.4.1
KiB Mem: 15905536 total, 9201448 free
KiB Swap: 17459196 total, 17219324 free
Timestamp of repository gentoo: Tue, 03 Apr 2018 02:00:01 +0000
Head commit of repository gentoo: 5558078abf664d63fead55f6fde1d4b95d18e426
sh bash 4.4_p12
ld GNU ld (Gentoo 2.29.1 p3) 2.29.1
app-shells/bash: 4.4_p12::gentoo
dev-lang/perl: 5.24.3-r1::gentoo
dev-lang/python: 2.7.14-r1::gentoo, 3.5.4-r1::gentoo
dev-util/cmake: 3.9.6::gentoo
dev-util/pkgconfig: 0.29.2::gentoo
sys-apps/baselayout: 2.4.1-r2::gentoo
sys-apps/openrc: 0.34.11::gentoo
sys-apps/sandbox: 2.13::gentoo
sys-devel/autoconf: 2.13::gentoo, 2.69-r4::gentoo
sys-devel/automake: 1.15.1-r2::gentoo
sys-devel/binutils: 2.29.1-r1::gentoo
sys-devel/gcc: 6.4.0-r1::gentoo
sys-devel/gcc-config: 1.8-r1::gentoo
sys-devel/libtool: 2.4.6-r3::gentoo
sys-devel/make: 4.2.1::gentoo
sys-kernel/linux-headers: 4.13::gentoo (virtual/os-headers)
sys-libs/glibc: 2.25-r11::gentoo
Repositories:
gentoo
location: /usr/portage
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
sync-rsync-extra-opts:
sync-rsync-verify-metamanifest: no
steam-overlay
location: /var/lib/layman/steam-overlay
masters: gentoo
priority: 50
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo http://lug.mtu.edu/gentoo/ ftp://lug.mtu.edu/gentoo/ http://cosmos.illinois.edu/pub/gentoo/ ftp://cosmos.illinois.edu/pub/gentoo/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam flac fortran gdbm gif git glamor gpm gtk iconv ipv6 jpeg lcms ldap libnotify mad mng modules mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio qt3support readline sdl seccomp spell ssl startup-notification steamruntime svg tcpd tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 xattr xcb xml xv xvid zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 fma4 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 xop" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5" RUBY_TARGETS="ruby22 ruby23" USERLAND="GNU" VIDEO_CARDS="amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS |
Last edited by statikregimen on Wed Apr 04, 2018 4:18 pm; edited 1 time in total |
|
| Back to top |
|
|
ct85711
Veteran
Joined: 27 Sep 2005
Posts: 1791
|
| Posted: Wed Apr 04, 2018 7:20 am Post subject: |
|
|
I know when I checked on my system, unix_chkpwd came up with permissions as 0711. I can't really say if xscreensaver locking works or not for my system, as I don't use that side. What would be interesting, is finding out if that file defaults as 0711 when pam is installed or was it possibly changed in a earlier version or changed by some other package.
I may just do a little test on my system, by intentionally breaking the system and removing pam; and reinstall it and see what the permissions of that file is
Note: I am fully aware, in doing so I get to pick up all pieces; and DO NOT recommend anyone do the same thing without knowing exactly what they are doing.
Update:
Well, I confirmed for my system at least, unix_chkpwd comes by default with permissions of 0711 only. This was tested, but completely remove pam from system and verify the file is gone; then freshly recompiling pam again and rechecking the file's permissions.
| Code: |
Using username "ct85711".
Oate /home/ct85711 # emerge -pv pam xorg-server
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] sys-libs/pam-1.3.0-r2::gentoo USE="berkdb cracklib filecaps nls pie -audit -debug -nis (-selinux) {-test} -vim-syntax" ABI_X86="(64) -32 (-x32)" 0 KiB
[ebuild R ] x11-base/xorg-server-1.19.5-r1:0/1.19.5::gentoo USE="dmx glamor ipv6 kdrive suid udev xcsecurity xephyr xnest xorg xvfb -debug -doc -libressl -minimal (-selinux) -static-libs -systemd -tslib -unwind -wayland" 0 KiB
Total: 2 packages (2 reinstalls), Size of downloads: 0 KiB
Oate /home/ct85711 # ls -l /sbin/unix_chkpwd
-rwx--x--x 1 root root 31224 Apr 4 03:27 /sbin/unix_chkpwd
Oate /home/ct85711 # emerge -pv xscreensaver
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] x11-misc/xscreensaver-5.38::gentoo USE="jpeg opengl pam perl xinerama -gdm -new-login -offensive (-selinux) -suid" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
|
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Thu Apr 05, 2018 2:06 am Post subject: |
|
|
| ct85711, thank you for prompting me to look more closely. If sys-libs/pam is built with USE=filecaps, it can install a mode 711 unix_chkpwd and rely on file capabilities to grant CAP_DAC_OVERRIDE. If built without file caps, unix_chkpwd must be 4711 so that it gets CAP_DAC_OVERRIDE (and many other unnecessary capabilities) as a result of being suid root. So if the OP had built with USE=filecaps, then telling him to enable suid was wrong. OP: what is the output of emerge --pretend --verbose sys-libs/pam? |
|
| Back to top |
|
|
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
| Posted: Thu Apr 05, 2018 3:41 pm Post subject: |
|
|
| Hu wrote: | | OP: what is the output of emerge --pretend --verbose sys-libs/pam? |
| Code: | | [ebuild R ] sys-libs/pam-1.2.1-r2::gentoo USE="berkdb cracklib filecaps nls pie -audit -debug -nis (-selinux) {-test}" ABI_X86="(64) -32 (-x32)" 0 KiB |
[Moderator edit: added [code] tags to preserve output layout. -Hu] |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Fri Apr 06, 2018 2:10 am Post subject: |
|
|
| My advice may have worked, but since you have USE=filecaps, my advice was the wrong solution. We need to determine whether unix_chkpwd had the file capability annotation. If it did, we need to know why it did not work for you. If it did not, we need to know why it did not, since USE=filecaps should have caused it to be there. If you re-emerge sys-libs/pam, keeping USE=filecaps, what is the output of ls -l /sbin/unix_chkpwd ; getcap /sbin/unix_chkpwd? How did you install PAM previously? Was this system created using only Portage to install files or were some files installed through other means, such as cp -r from some other source? |
|
| Back to top |
|
|
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
| Posted: Fri Apr 06, 2018 3:03 am Post subject: |
|
|
| Hu wrote: | | My advice may have worked, but since you have USE=filecaps, my advice was the wrong solution. We need to determine whether unix_chkpwd had the file capability annotation. If it did, we need to know why it did not work for you. If it did not, we need to know why it did not, since USE=filecaps should have caused it to be there. If you re-emerge sys-libs/pam, keeping USE=filecaps, what is the output of ls -l /sbin/unix_chkpwd ; getcap /sbin/unix_chkpwd? How did you install PAM previously? Was this system created using only Portage to install files or were some files installed through other means, such as cp -r from some other source? |
After re-emerging pam:
| Code: | # ls -l /sbin/unix_chkpwd
-rws--x--x 1 root root 31184 Apr 5 22:57 /sbin/unix_chkpwd |
pam should have been installed automagically based on my profile or as a dependency of something...
| Code: | $ eselect profile show
Current /etc/portage/make.profile symlink:
default/linux/amd64/17.0/desktop
|
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Sat Apr 07, 2018 12:27 am Post subject: |
|
|
Something is strange here. If you have USE=filecaps, your file should not be suid, and should have a file capability. Your older output says you have USE=filecaps. Your most recent post says you have suid. You did not show getcap. Please show that, and add -v so that it prints even if there are no capabilities.
Yes, pam is a dependency. I wanted to know if this system had been installed through Portage or had been copied from a working Gentoo install. The latter might, depending on options used, lose file capabilities. |
|
| Back to top |
|
|
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
| Posted: Sun Apr 08, 2018 3:42 pm Post subject: |
|
|
wtf...? I swear I copied/pasted the command you were looking for...
| Code: | # ls -lv /sbin/unix_chkpwd ; getcap /sbin/unix_chkpwd
-rws--x--x 1 root root 31184 Apr 5 22:57 /sbin/unix_chkpwd
Failed to get capabilities of file `/sbin/unix_chkpwd' (Operation not supported) |
The system was installed entirely via Portage - no files copied from elsewhere.
I'm not sure what you mean about my older posts showing filecaps vs most recent? |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Tue Apr 10, 2018 1:30 am Post subject: |
|
|
I wanted -v on getcap, not on ls. However, the error message you received is good enough. There is no need to provide getcap -v now. I interpret that error message to mean that your filesystem does not support file capabilities. What type of filesystem did you use for the /sbin directory? What mount options are set for it?
Regarding USE=filecaps vs suid: if you build the package with USE=filecaps, then unix_chkpwd should not be suid and should have a file capability annotation. If you build with USE=-filecaps, then unix_chkpwd should be suid. In your most recent post where you showed the USE flags, you have USE=filecaps, so I would expect you not to have the suid flag on unix_chkpwd. However, your most recent post where you showed permissions shows that unix_chkpwd is suid. So either you set it manually, per my (now known to be incorrect) advice earlier in the thread, or something else strange is happening. |
|
| Back to top |
|
|
statikregimen
Apprentice
Joined: 16 Jul 2011
Posts: 173
Location: USA/Michigan
|
| Posted: Wed Apr 11, 2018 2:12 pm Post subject: |
|
|
Sorry for the delayed response. I use ext4 for everything
I did in fact change the permissions per your original suggestion prior to learning that it was not the proper solution. I'm not sure how to undo it. I need to educate myself quite a bit more on this stuff. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Thu Apr 12, 2018 1:17 am Post subject: |
|
|
| statikregimen wrote: | | I did in fact change the permissions per your original suggestion prior to learning that it was not the proper solution. I'm not sure how to undo it. I need to educate myself quite a bit more on this stuff. |
You said you re-emerged PAM, then showed output indicating that the permissions were suid. If you re-emerged pam with USE=filecaps, that should not have happened, unless you reapplied the permissions change by hand.
You can undo it by setting the permissions back to what they were: 711.
Do you have EXT4_FS_SECURITY enabled in your kernel configuration? If I read the kernel source correctly, that is required to use file capabilities on ext4. |
|
| Back to top |
|
|
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Fri Mar 26, 2021 10:33 am Post subject: |
|
|
Hi
sorry to revive such an old thread, but I'm dealing with exact the same issue here.
neither xscreensaver nor mate-screensaver did accept my password, on the log files, I also got
| Quote: |
Mar 26 11:05:13 gallifrey xscreensaver[6632]: FAILED LOGIN 1 ON DISPLAY ":0.0", FOR "shaoran"
Mar 26 11:05:17 gallifrey unix_chkpwd[6684]: check pass; user unknown
|
so after reading this thread I realized that /sbin/unix_chkpwd did not have suid bit set so I tried the chmod 4711 and now it works. However I kept reading and found this:
| Hu wrote: | | My advice may have worked, but since you have USE=filecaps, my advice was the wrong solution. We need to determine whether unix_chkpwd had the file capability annotation. If it did, we need to know why it did not work for you. If it did not, we need to know why it did not, since USE=filecaps should have caused it to be there. If you re-emerge sys-libs/pam, keeping USE=filecaps, what is the output of ls -l /sbin/unix_chkpwd ; getcap /sbin/unix_chkpwd? How did you install PAM previously? Was this system created using only Portage to install files or were some files installed through other means, such as cp -r from some other source? |
My pam has the filecaps USE flag set, so that's why suid was not set. However the getcap command shows no output and exists with return status 0:
| Code: |
# getcap /sbin/unix_chkpwd ; echo $?
0
# getcap -v /sbin/unix_chkpwd ; echo $?
/sbin/unix_chkpwd
0
|
| Quote: |
Do you have EXT4_FS_SECURITY enabled in your kernel configuration? If I read the kernel source correctly, that is required to use file capabilities on ext4.
|
Yes, it it set.
| Code: |
# zcat /proc/config.gz | grep EXT4_FS_SECURITY
CONFIG_EXT4_FS_SECURITY=y
|
In the OP case, getcap returned a "Operation not supported", in my case I just get no output. I don't know how to interpret it. How can I get xscreensaver to work without the incorrect solution if setting suid?
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Fri Mar 26, 2021 4:25 pm Post subject: |
|
|
For me, unix_chkpwd is mode 711 and the getcap output is: | Code: | # getcap /sbin/unix_chkpwd
/sbin/unix_chkpwd cap_dac_override=ep |
My =sys-libs/pam-1.5.1 has USE=filecaps enabled. I think we need to understand why your pam is installed without the capabilities enabled. Is your filesystem mounted with xattr enabled? |
|
| Back to top |
|
|
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Fri Mar 26, 2021 5:35 pm Post subject: |
|
|
| Hu wrote: | | I think we need to understand why your pam is installed without the capabilities enabled. Is your filesystem mounted with xattr enabled? |
I don't know how to check that. My /etc/fstab looks like this:
| Code: |
UUID="f3963fed-6fab-45b2-870e-c654dbaeb62c" / ext4 noatime 0 1
|
but I also boot with an initrd generated by dracut with this config:
| Code: |
# Equivalent to -H
hostonly="yes"
omit_dracutmodules+=" dash biosdevname"
show_modules="yes"
i18n_vars="/etc/conf.d/keymaps:keymap-KEYMAP,extended_keymaps-EXT_KEYMAPS /etc/conf.d/consolefont:consolefont-FONT,consoletranslation-FONT_MAP /etc/rc.conf:unicode-UNICODE"
|
and I build my initrd with dracut -i /lib/firmware/nvidia /lib/firmware/nvidia --kver <kernel version> --force.
The directory /run/initramfs/log/ is empty and dmesg has only a few lines:
| Code: |
$ dmesg | grep dracut
[ 2.662341] dracut: Checking ext4: /dev/disk/by-uuid/f3963fed-6fab-45b2-870e-c654dbaeb62c
[ 2.663005] dracut: issuing e2fsck -a /dev/disk/by-uuid/f3963fed-6fab-45b2-870e-c654dbaeb62c
[ 2.668781] dracut: ROOT: clean, 876388/34422784 files, 20200095/137685169 blocks
[ 2.670178] dracut: Mounting /dev/disk/by-uuid/f3963fed-6fab-45b2-870e-c654dbaeb62c with -o rw,noatime,ro
[ 2.685973] dracut: Mounted root filesystem /dev/nvme0n1p5
[ 2.704281] dracut: Switching root
|
It's strange that dracut mounts my root partition with rw and ro at the same time, never noticed that.
My GRUB_CMDLINE_LINUX variable has only one value "net.ifnames=0", so grub-mkconfig generated this config:
| Code: |
echo 'Loading Linux 5.4.97-gentoo ...'
linux /boot/kernel-5.4.97-gentoo root=UUID=f3963fed-6fab-45b2-870e-c654dbaeb62c ro net.ifnames=0
echo 'Loading initial ramdisk ...'
initrd /boot/initramfs-5.4.97-gentoo.img
|
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
