[Bug 252837] [PATCH] x11/xfce4-screensaver: PAM authentication may not work as intended due to the wrong policy filename

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jan 19 21:46:50 UTC 2021


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252837

            Bug ID: 252837
           Summary: [PATCH] x11/xfce4-screensaver: PAM authentication may
                    not work as intended due to the wrong policy filename
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: xfce at FreeBSD.org
          Reporter: genneko217 at gmail.com
             Flags: maintainer-feedback?(xfce at FreeBSD.org)
          Assignee: xfce at FreeBSD.org

Created attachment 221750
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=221750&action=edit
A patch to Makefile

x11/xfce4-screensaver port installs a PAM policy file 'xfce-screensaver'
in /usr/local/etc/pam.d when the PAM option is enabled.

However, the policy is not actually used because of the wrong filename.
The correct filename would be 'xfce4-screensaver' as seen in its source.
${WRKSRC}/src/Makefile.am:
        -DPAM_SERVICE_NAME=\""xfce4-screensaver"\"

In most cases, it does not cause any problem because the catch-all
/etc/pam.d/other policy is used instead.

But, it may cause trouble when you have customized PAM policies
in some ways.

For example, when you have configured pam_krb5 in /etc/pam.d/system
to authenticate users with Active Directory or something like that
and do not set local UNIX passwords for the users, those users cannot
unlock screen with their AD passwords once xfce4-screensaver activates
the screen lock. This is because /usr/local/etc/pam.d/xfce-screensaver
is not loaded thus /etc/pam.d/system which will be included by the former
is also not loaded.

I've found the issue in this particular situation.


HOW TO CONFIRM

Here are the steps I took to confirm which policies are loaded
when I unlock the xfce4-screensaver's screen lock.

1. Install x11/xfce4-screensaver on a cleanly installed desktop system.

2. Add the following lines to the top of the PAM policy files
   in order to log the loaded policy filename.

[/etc/pam.d/system]
auth    optional        pam_exec.so     /usr/bin/logger system

[/etc/pam.d/other]
auth    optional        pam_exec.so     /usr/bin/logger other

[/usr/local/etc/pam.d/xfce-screensaver]
auth    optional        pam_exec.so     /usr/bin/logger xfce-screensaver

3. Monitor /var/log/messages on a local virtual terminal (Ctrl+Shift+Fx)
   or a SSH terminal on another host.

   $ tail -F /var/log/messages

4. On the desktop, lock the screen manually.

   $ xfce4-screensaver-command --lock

5. Unlock the screen by entering the user password.

6. See which PAM policy was loaded.

Jan 19 20:55:28 xrdp genneko[20748]: pam.d/other
Jan 19 20:55:28 xrdp genneko[20749]: pam.d/other

7. Copy the xfce-screensaver to xfce4-screensaver in /usr/local/etc/pam.d
   and edit the previously added line to the new file.

[/usr/local/etc/pam.d/xfce4-screensaver]
auth    optional        pam_exec.so     /usr/bin/logger xfce4-screensaver

8. Lock the screen again.

   $ xfce4-screensaver-command --lock

9. Unlock the screen.

10. See which PAM policy was loaded.

Jan 19 20:57:29 xrdp genneko[20773]: pam.d/xfce4-screensaver
Jan 19 20:57:29 xrdp genneko[20774]: pam.d/system
Jan 19 20:57:29 xrdp genneko[20775]: pam.d/xfce4-screensaver
Jan 19 20:57:29 xrdp genneko[20776]: pam.d/system


ADDITIONAL INFORMATION

I have also used dwatch(1) utility to monitor file opens and
confirm 'xfce4-screensaver' (not 'xfce-screensaver') was opened.

$ sudo dwatch -X open
...
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/xfce4-screensaver
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.conf
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]:
/usr/local/etc/pam.d/xfce4-screensaver
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.conf
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_exec.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opie.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libopie.so.8
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libopie.so.8
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libmd.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opieaccess.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libutil.so.9
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libcrypt.so.5
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libypclnt.so.4
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libypclnt.so.4
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_nologin.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_login_access.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6
...

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-xfce mailing list