[Bug 252837] [PATCH] x11/xfce4-screensaver: PAM authentication may not work as intended due to the wrong policy filename
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Jan 19 21:46:50 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252837
Bug ID: 252837
Summary: [PATCH] x11/xfce4-screensaver: PAM authentication may
not work as intended due to the wrong policy filename
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: xfce at FreeBSD.org
Reporter: genneko217 at gmail.com
Flags: maintainer-feedback?(xfce at FreeBSD.org)
Assignee: xfce at FreeBSD.org
Created attachment 221750
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=221750&action=edit
A patch to Makefile
x11/xfce4-screensaver port installs a PAM policy file 'xfce-screensaver'
in /usr/local/etc/pam.d when the PAM option is enabled.
However, the policy is not actually used because of the wrong filename.
The correct filename would be 'xfce4-screensaver' as seen in its source.
${WRKSRC}/src/Makefile.am:
-DPAM_SERVICE_NAME=\""xfce4-screensaver"\"
In most cases, it does not cause any problem because the catch-all
/etc/pam.d/other policy is used instead.
But, it may cause trouble when you have customized PAM policies
in some ways.
For example, when you have configured pam_krb5 in /etc/pam.d/system
to authenticate users with Active Directory or something like that
and do not set local UNIX passwords for the users, those users cannot
unlock screen with their AD passwords once xfce4-screensaver activates
the screen lock. This is because /usr/local/etc/pam.d/xfce-screensaver
is not loaded thus /etc/pam.d/system which will be included by the former
is also not loaded.
I've found the issue in this particular situation.
HOW TO CONFIRM
Here are the steps I took to confirm which policies are loaded
when I unlock the xfce4-screensaver's screen lock.
1. Install x11/xfce4-screensaver on a cleanly installed desktop system.
2. Add the following lines to the top of the PAM policy files
in order to log the loaded policy filename.
[/etc/pam.d/system]
auth optional pam_exec.so /usr/bin/logger system
[/etc/pam.d/other]
auth optional pam_exec.so /usr/bin/logger other
[/usr/local/etc/pam.d/xfce-screensaver]
auth optional pam_exec.so /usr/bin/logger xfce-screensaver
3. Monitor /var/log/messages on a local virtual terminal (Ctrl+Shift+Fx)
or a SSH terminal on another host.
$ tail -F /var/log/messages
4. On the desktop, lock the screen manually.
$ xfce4-screensaver-command --lock
5. Unlock the screen by entering the user password.
6. See which PAM policy was loaded.
Jan 19 20:55:28 xrdp genneko[20748]: pam.d/other
Jan 19 20:55:28 xrdp genneko[20749]: pam.d/other
7. Copy the xfce-screensaver to xfce4-screensaver in /usr/local/etc/pam.d
and edit the previously added line to the new file.
[/usr/local/etc/pam.d/xfce4-screensaver]
auth optional pam_exec.so /usr/bin/logger xfce4-screensaver
8. Lock the screen again.
$ xfce4-screensaver-command --lock
9. Unlock the screen.
10. See which PAM policy was loaded.
Jan 19 20:57:29 xrdp genneko[20773]: pam.d/xfce4-screensaver
Jan 19 20:57:29 xrdp genneko[20774]: pam.d/system
Jan 19 20:57:29 xrdp genneko[20775]: pam.d/xfce4-screensaver
Jan 19 20:57:29 xrdp genneko[20776]: pam.d/system
ADDITIONAL INFORMATION
I have also used dwatch(1) utility to monitor file opens and
confirm 'xfce4-screensaver' (not 'xfce-screensaver') was opened.
$ sudo dwatch -X open
...
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/xfce4-screensaver
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.conf
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]:
/usr/local/etc/pam.d/xfce4-screensaver
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.conf
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_exec.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opie.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libopie.so.8
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libopie.so.8
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libmd.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opieaccess.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libutil.so.9
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libcrypt.so.5
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libypclnt.so.4
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libypclnt.so.4
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_nologin.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_login_access.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6
...
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-xfce
mailing list