Heya, Ludovic Courtès skribis: > Rick Huijzer skribis: > >> It seems that xscreensaver-auth needs to be setuid instead of the main >> xscreensaver binary. The screen-locker-service in xorg.scm sets the >> provided package setuid and sets the required pam configuration for the >> provided package. The problem is that the pam configuration needs to be set >> for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for >> xscreensaver-auth. >> >> Interestingly when I setuid xscreensaver-auth manually I run into the >> following when unlocking: >> Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown >> Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user >> (rhuijzer) >> Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth): >> authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost= >> user=rhuijzer >> >> But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path >> to unix_chkpwd helper . >> >> I don't know how to fix this elegantly, maybe create a dedicated service >> for xscreensaver instead of the standard screen-locker-service? > > Yes, either that or a special case in ‘screen-locker-service’. With the attached patch I can make ‘xscreensaver-auth’ setuid-root (which is optional: it’s needed to tweak OOM behavior) while keeping the ‘xscreensaver’ PAM entry that’s needed. However, authentication’s still failing due to ‘unix_chkpwd’ not working on current ‘master’ where is missing. Ideas on how to work around that? It’s not clear to me how ‘unix_chkpwd’ ends up being invoked in the first place… Thanks, Ludo’.