Date: Mon, 07 Apr 2008 11:55:12 -0400 From: Joe Marcus Clarke <marcus@marcuscom.com> To: Andrew Reilly <areilly@bigpond.net.au> Cc: gnome@freebsd.org, FreeBSD Ports Mailing List <ports@freebsd.org>, Ashish Shukla =?UTF-8?Q?=E0=A4=86=E0=A4=B6=E0=A5=80=E0=A4=B7_?= =?UTF-8?Q?=E0=A4=B6=E0=A5=81=E0=A4=95=E0=A5=8D=E0=A4=B2?= <wahjava@gmail.com>, Ashish Shukla =?UTF-8?Q?=E0=A4=86=E0=A4=B6=E0=A5=80=E0=A4=B7_?= =?UTF-8?Q?=E0=A4=B6=E0=A5=81=E0=A4=95=E0=A5=8D=E0=A4=B2?= <wahjava.ml@gmail.com> Subject: Re: x11/gnome-screensaver-2.22.1 is not unlocking screen on entry of correct password. Message-ID: <1207583712.80953.7.camel@shumai.marcuscom.com> In-Reply-To: <20080407070744.GA27115@duncan.reilly.home> References: <87d4p3xome.fsf@chateau.d.lf> <1207495285.21780.1.camel@shumai.marcuscom.com> <87y77qg9zd.fsf@chateau.d.lf> <1207504273.22879.4.camel@shumai.marcuscom.com> <20080407063651.GB97699@duncan.reilly.home> <20080407070744.GA27115@duncan.reilly.home>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-jo91c5zdK2kP5ZcVcHft Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, 2008-04-07 at 17:07 +1000, Andrew Reilly wrote: > On Mon, Apr 07, 2008 at 04:36:51PM +1000, Andrew Reilly wrote: > > On Sun, Apr 06, 2008 at 01:51:13PM -0400, Joe Marcus Clarke wrote: > > > > Joe> This is typically the case when one builds gnome-screensav= er with PAM > > > > Joe> support, but they are currently using a PAM module which r= equires the > > > > Joe> executable be setuid root (e.g. pam_unix). The only worka= round is to > > > > Joe> rebuild gnome-screensaver without PAM support, or use a di= fferent PAM > > > > Joe> module which does not require root privileges. > > > >=20 > > > > I've tried copying /etc/pam.d/gdm to /etc/pam.d/gnome-screensaver, = but > > > > also thats of no use. Any ideas, why is that not working inspite of > > > > /usr/local/libexec/gnome-screensaver-dialog being setuid, hmm...? > > >=20 > > > PAM and gnome-screensaver do not work together if you are using > > > pam_unix. Rebuild gnome-screensaver without PAM support, and it will > > > instead read /etc/master.passwd directly to authenticate the user. T= hat > > > will work. >=20 > Just to add a bit more noise to this discussion: I've just re-configured > gnome-screensaver to not use PAM, and re-installed. When doing so, I > discovered that this installs gnome-screensaver-dialog, which is setuid > root. Clearly, that's necessary in order to look at master.passwd > directly. Isn't the same setuid-root done when PAM is involved? The setuid privileges are dropped once initialization is done since GTK+ apps cannot run set[ug]id. If they could, or if gnome-screesaver-dialog was not a GTK+ app, this wouldn't be a problem. That's why a wrapper that actually does the PAM dialog would work here. Linux, on the other hand, includes a setuid tool with Linux PAM which does the privileged work for pam_unix. This means that none of their login apps need to be setuid root. Joe --=20 PGP Key : http://www.marcuscom.com/pgp.asc --=-jo91c5zdK2kP5ZcVcHft Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (FreeBSD) iEYEABECAAYFAkf6Q9wACgkQb2iPiv4Uz4e7DACgiOmwH8jvdbqpWqCEfBxNnkUv NwkAn18qaX6UE+nhhsepyCIuxDGYnESF =yBMW -----END PGP SIGNATURE----- --=-jo91c5zdK2kP5ZcVcHft--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1207583712.80953.7.camel>