Date: Tue, 19 Jan 2021 21:46:49 +0000 From: bugzilla-noreply@freebsd.org To: xfce@FreeBSD.org Subject: maintainer-feedback requested: [Bug 252837] [PATCH] x11/xfce4-screensaver: PAM authentication may not work as intended due to the wrong policy filename Message-ID: <bug-252837-28711-xitgBwhvIP@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-252837-28711@https.bugs.freebsd.org/bugzilla/> References: <bug-252837-28711@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-xfce (Nobody) <xfce@FreeBSD.org> for maintainer-feedback: Bug 252837: [PATCH] x11/xfce4-screensaver: PAM authentication may not work = as intended due to the wrong policy filename https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D252837 --- Description --- x11/xfce4-screensaver port installs a PAM policy file 'xfce-screensaver' in /usr/local/etc/pam.d when the PAM option is enabled. However, the policy is not actually used because of the wrong filename. The correct filename would be 'xfce4-screensaver' as seen in its source. ${WRKSRC}/src/Makefile.am: -DPAM_SERVICE_NAME=3D\""xfce4-screensaver"\" In most cases, it does not cause any problem because the catch-all /etc/pam.d/other policy is used instead. But, it may cause trouble when you have customized PAM policies in some ways. For example, when you have configured pam_krb5 in /etc/pam.d/system to authenticate users with Active Directory or something like that and do not set local UNIX passwords for the users, those users cannot unlock screen with their AD passwords once xfce4-screensaver activates the screen lock. This is because /usr/local/etc/pam.d/xfce-screensaver is not loaded thus /etc/pam.d/system which will be included by the former is also not loaded. I've found the issue in this particular situation. HOW TO CONFIRM Here are the steps I took to confirm which policies are loaded when I unlock the xfce4-screensaver's screen lock. 1. Install x11/xfce4-screensaver on a cleanly installed desktop system. 2. Add the following lines to the top of the PAM policy files in order to log the loaded policy filename. [/etc/pam.d/system] auth optional pam_exec.so /usr/bin/logger system [/etc/pam.d/other] auth optional pam_exec.so /usr/bin/logger other [/usr/local/etc/pam.d/xfce-screensaver] auth optional pam_exec.so /usr/bin/logger xfce-screensaver 3. Monitor /var/log/messages on a local virtual terminal (Ctrl+Shift+Fx) or a SSH terminal on another host. $ tail -F /var/log/messages 4. On the desktop, lock the screen manually. $ xfce4-screensaver-command --lock 5. Unlock the screen by entering the user password. 6. See which PAM policy was loaded. Jan 19 20:55:28 xrdp genneko[20748]: pam.d/other Jan 19 20:55:28 xrdp genneko[20749]: pam.d/other 7. Copy the xfce-screensaver to xfce4-screensaver in /usr/local/etc/pam.d and edit the previously added line to the new file. [/usr/local/etc/pam.d/xfce4-screensaver] auth optional pam_exec.so /usr/bin/logger xfce4-screensaver 8. Lock the screen again. $ xfce4-screensaver-command --lock 9. Unlock the screen. 10. See which PAM policy was loaded. Jan 19 20:57:29 xrdp genneko[20773]: pam.d/xfce4-screensaver Jan 19 20:57:29 xrdp genneko[20774]: pam.d/system Jan 19 20:57:29 xrdp genneko[20775]: pam.d/xfce4-screensaver Jan 19 20:57:29 xrdp genneko[20776]: pam.d/system ADDITIONAL INFORMATION I have also used dwatch(1) utility to monitor file opens and confirm 'xfce4-screensaver' (not 'xfce-screensaver') was opened. $ sudo dwatch -X open ... 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/xfce4-screensaver 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.conf 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.d/xfce4-screensaver 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.conf 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_exec.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opie.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libopie.so.8 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libopie.so.8 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libmd.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opieaccess.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libutil.so.9 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libcrypt.so.5 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libypclnt.so.4 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libypclnt.so.4 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_nologin.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_login_access.so= .6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6 ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-252837-28711-xitgBwhvIP>