Date: Tue, 19 Jan 2021 21:46:49 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 252837] [PATCH] x11/xfce4-screensaver: PAM authentication may not work as intended due to the wrong policy filename Message-ID: <bug-252837-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D252837 Bug ID: 252837 Summary: [PATCH] x11/xfce4-screensaver: PAM authentication may not work as intended due to the wrong policy filename Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: xfce@FreeBSD.org Reporter: genneko217@gmail.com Flags: maintainer-feedback?(xfce@FreeBSD.org) Assignee: xfce@FreeBSD.org Created attachment 221750 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D221750&action= =3Dedit A patch to Makefile x11/xfce4-screensaver port installs a PAM policy file 'xfce-screensaver' in /usr/local/etc/pam.d when the PAM option is enabled. However, the policy is not actually used because of the wrong filename. The correct filename would be 'xfce4-screensaver' as seen in its source. ${WRKSRC}/src/Makefile.am: -DPAM_SERVICE_NAME=3D\""xfce4-screensaver"\" In most cases, it does not cause any problem because the catch-all /etc/pam.d/other policy is used instead. But, it may cause trouble when you have customized PAM policies in some ways. For example, when you have configured pam_krb5 in /etc/pam.d/system to authenticate users with Active Directory or something like that and do not set local UNIX passwords for the users, those users cannot unlock screen with their AD passwords once xfce4-screensaver activates the screen lock. This is because /usr/local/etc/pam.d/xfce-screensaver is not loaded thus /etc/pam.d/system which will be included by the former is also not loaded. I've found the issue in this particular situation. HOW TO CONFIRM Here are the steps I took to confirm which policies are loaded when I unlock the xfce4-screensaver's screen lock. 1. Install x11/xfce4-screensaver on a cleanly installed desktop system. 2. Add the following lines to the top of the PAM policy files in order to log the loaded policy filename. [/etc/pam.d/system] auth optional pam_exec.so /usr/bin/logger system [/etc/pam.d/other] auth optional pam_exec.so /usr/bin/logger other [/usr/local/etc/pam.d/xfce-screensaver] auth optional pam_exec.so /usr/bin/logger xfce-screensaver 3. Monitor /var/log/messages on a local virtual terminal (Ctrl+Shift+Fx) or a SSH terminal on another host. $ tail -F /var/log/messages 4. On the desktop, lock the screen manually. $ xfce4-screensaver-command --lock 5. Unlock the screen by entering the user password. 6. See which PAM policy was loaded. Jan 19 20:55:28 xrdp genneko[20748]: pam.d/other Jan 19 20:55:28 xrdp genneko[20749]: pam.d/other 7. Copy the xfce-screensaver to xfce4-screensaver in /usr/local/etc/pam.d and edit the previously added line to the new file. [/usr/local/etc/pam.d/xfce4-screensaver] auth optional pam_exec.so /usr/bin/logger xfce4-screensaver 8. Lock the screen again. $ xfce4-screensaver-command --lock 9. Unlock the screen. 10. See which PAM policy was loaded. Jan 19 20:57:29 xrdp genneko[20773]: pam.d/xfce4-screensaver Jan 19 20:57:29 xrdp genneko[20774]: pam.d/system Jan 19 20:57:29 xrdp genneko[20775]: pam.d/xfce4-screensaver Jan 19 20:57:29 xrdp genneko[20776]: pam.d/system ADDITIONAL INFORMATION I have also used dwatch(1) utility to monitor file opens and confirm 'xfce4-screensaver' (not 'xfce-screensaver') was opened. $ sudo dwatch -X open ... 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/xfce4-screensaver 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.conf 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.d/xfce4-screensaver 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.conf 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_exec.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opie.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libopie.so.8 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libopie.so.8 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libmd.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opieaccess.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libutil.so.9 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libcrypt.so.5 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libypclnt.so.4 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libypclnt.so.4 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_nologin.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_login_access.so= .6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6 ... --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-252837-7788>