bug#57071: Xscreensaver not working since latest patch

bug#57071: Xscreensaver not working since latest patch

[Rick Huijzer]

[-- Attachment #1: Type: text/plain, Size: 783 bytes --]

Hi,

The latest xscreensaver patch <https://issues.guix.gnu.org/56597> rendered
xscreensaver unusable on my systems. When I try to unlock my screen I am
greeted with the message 'xscreensaver: don't login as root', even though I
don't invoke it as root.


$xscreensaver-command -lock
Aug  9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22:
1: running as root: not launching hacks.
Aug  9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking
Aug  9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32:
0: running as root: not launching hacks.

When I remove the
(screen-locker-service xscreensaver)
I run into all kinds of set-uid problems.

I will happily provide more information if needed.

-- 
Met vriendelijke groet,

Rick Huijzer

[-- Attachment #2: Type: text/html, Size: 1193 bytes --]

bug#57071: Xscreensaver not working since latest patch

[Ludovic Courtès]

Hi Rick,

Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:

> The latest xscreensaver patch <https://issues.guix.gnu.org/56597> rendered
> xscreensaver unusable on my systems. When I try to unlock my screen I am
> greeted with the message 'xscreensaver: don't login as root', even though I
> don't invoke it as root.
>
>
> $xscreensaver-command -lock
> Aug  9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22:
> 1: running as root: not launching hacks.
> Aug  9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking
> Aug  9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32:
> 0: running as root: not launching hacks.
>
> When I remove the
> (screen-locker-service xscreensaver)
> I run into all kinds of set-uid problems.

Sorry about that, I built it during review but did not actually run it.

One effect of ‘screen-locker-service’ is to make the program setuid-root
so that it can authenticate users.  It would seem that something changed
in xscreensaver in that area; quoth ‘driver/subprocs.c’:

--8<---------------cut here---------------start------------->8---
      if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
        /* Prior to XScreenSaver 6, if running as root, we would change the
           effective uid to the user "nobody" or "daemon" or "noaccess",
           but even that was just encouraging bad behavior.  Don't log in
           as root. */
        {
          fprintf (stderr, "%s: %d: running as root: not launching hacks.\n",
                   blurb(), ssi->number);
          screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as root.");
          goto DONE;
        }
--8<---------------cut here---------------end--------------->8---

OTOH the ‘disavow_privileges’ function is supposed to drop root
privileges early on.

So I’m not sure how it’s supposed to be run.  R0man, ideas?

Thanks,
Ludo’.

bug#57071: Xscreensaver not working since latest patch

[Roman Scherer]

[-- Attachment #1: Type: text/plain, Size: 3176 bytes --]


Hi Ludo and Rick,

sorry for the trouble. I'm running xscreensaver on a foreign distro and
did not notice this. Probably because somehow my screen wasn't locked,
but still showing random screensavers.

However, now that I tried the `xscreensaver-command -lock` command I see
a dialog with a "Password initialization failed" message.

The xscreensave logs also show this:

xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission denied
xscreensaver-auth: 06:45:55:   To prevent the kernel from randomly unlocking
xscreensaver-auth: 06:45:55:   your screen via the out-of-memory killer,
xscreensaver-auth: 06:45:55:   "xscreensaver-auth" must be setuid root.
xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does not exist.
xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to work.
xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does not exist.
xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to work.

When the dialog popped up, I had to switch to a terminal and kill
xscreensaver to be able to access my desktop again.

Should we revert it, until we figured out what's necesarry to get this
working again?

r0man

Ludovic Courtès <ludo@gnu.org> writes:

> Hi Rick,
>
> Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:
>
>> The latest xscreensaver patch <https://issues.guix.gnu.org/56597> rendered
>> xscreensaver unusable on my systems. When I try to unlock my screen I am
>> greeted with the message 'xscreensaver: don't login as root', even though I
>> don't invoke it as root.
>>
>>
>> $xscreensaver-command -lock
>> Aug  9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22:
>> 1: running as root: not launching hacks.
>> Aug  9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking
>> Aug  9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32:
>> 0: running as root: not launching hacks.
>>
>> When I remove the
>> (screen-locker-service xscreensaver)
>> I run into all kinds of set-uid problems.
>
> Sorry about that, I built it during review but did not actually run it.
>
> One effect of ‘screen-locker-service’ is to make the program setuid-root
> so that it can authenticate users.  It would seem that something changed
> in xscreensaver in that area; quoth ‘driver/subprocs.c’:
>
>       if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
>         /* Prior to XScreenSaver 6, if running as root, we would change the
>            effective uid to the user "nobody" or "daemon" or "noaccess",
>            but even that was just encouraging bad behavior.  Don't log in
>            as root. */
>         {
>           fprintf (stderr, "%s: %d: running as root: not launching hacks.\n",
>                    blurb(), ssi->number);
>           screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as root.");
>           goto DONE;
>         }
>
> OTOH the ‘disavow_privileges’ function is supposed to drop root
> privileges early on.
>
> So I’m not sure how it’s supposed to be run.  R0man, ideas?
>
> Thanks,
> Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 528 bytes --]

bug#57071: Xscreensaver not working since latest patch

[Rick Huijzer]

[-- Attachment #1: Type: text/plain, Size: 4629 bytes --]

Hi Roman and Ludo,

It seems that xscreensaver-auth needs to be setuid instead of the main
xscreensaver binary. The screen-locker-service in xorg.scm sets the
provided package setuid and sets the required pam configuration for the
provided package. The problem is that the pam configuration needs to be set
for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for
xscreensaver-auth.

Interestingly when I setuid xscreensaver-auth manually I run into the
following when unlocking:
Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown
Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user
(rhuijzer)
Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth):
authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=
 user=rhuijzer

But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path
to unix_chkpwd helper <https://issues.guix.gnu.org/53468>.

I don't know how to fix this elegantly, maybe create a dedicated service
for xscreensaver instead of the standard screen-locker-service?

Thanks,

Op wo 10 aug. 2022 om 09:14 schreef Roman Scherer <
roman.scherer@burningswell.com>:

>
> Hi Ludo and Rick,
>
> sorry for the trouble. I'm running xscreensaver on a foreign distro and
> did not notice this. Probably because somehow my screen wasn't locked,
> but still showing random screensavers.
>
> However, now that I tried the `xscreensaver-command -lock` command I see
> a dialog with a "Password initialization failed" message.
>
> The xscreensave logs also show this:
>
> xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission
> denied
> xscreensaver-auth: 06:45:55:   To prevent the kernel from randomly
> unlocking
> xscreensaver-auth: 06:45:55:   your screen via the out-of-memory killer,
> xscreensaver-auth: 06:45:55:   "xscreensaver-auth" must be setuid root.
> xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does
> not exist.
> xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to
> work.
> xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does
> not exist.
> xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to
> work.
>
> When the dialog popped up, I had to switch to a terminal and kill
> xscreensaver to be able to access my desktop again.
>
> Should we revert it, until we figured out what's necesarry to get this
> working again?
>
> r0man
>
> Ludovic Courtès <ludo@gnu.org> writes:
>
> > Hi Rick,
> >
> > Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:
> >
> >> The latest xscreensaver patch <https://issues.guix.gnu.org/56597>
> rendered
> >> xscreensaver unusable on my systems. When I try to unlock my screen I am
> >> greeted with the message 'xscreensaver: don't login as root', even
> though I
> >> don't invoke it as root.
> >>
> >>
> >> $xscreensaver-command -lock
> >> Aug  9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx:
> 08:45:22:
> >> 1: running as root: not launching hacks.
> >> Aug  9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command:
> locking
> >> Aug  9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx:
> 09:10:32:
> >> 0: running as root: not launching hacks.
> >>
> >> When I remove the
> >> (screen-locker-service xscreensaver)
> >> I run into all kinds of set-uid problems.
> >
> > Sorry about that, I built it during review but did not actually run it.
> >
> > One effect of ‘screen-locker-service’ is to make the program setuid-root
> > so that it can authenticate users.  It would seem that something changed
> > in xscreensaver in that area; quoth ‘driver/subprocs.c’:
> >
> >       if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
> >         /* Prior to XScreenSaver 6, if running as root, we would change
> the
> >            effective uid to the user "nobody" or "daemon" or "noaccess",
> >            but even that was just encouraging bad behavior.  Don't log in
> >            as root. */
> >         {
> >           fprintf (stderr, "%s: %d: running as root: not launching
> hacks.\n",
> >                    blurb(), ssi->number);
> >           screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as
> root.");
> >           goto DONE;
> >         }
> >
> > OTOH the ‘disavow_privileges’ function is supposed to drop root
> > privileges early on.
> >
> > So I’m not sure how it’s supposed to be run.  R0man, ideas?
> >
> > Thanks,
> > Ludo’.
>


-- 
Met vriendelijke groet,

Rick Huijzer

[-- Attachment #2: Type: text/html, Size: 5933 bytes --]

bug#57071: Xscreensaver not working since latest patch

[Ludovic Courtès]

Hi Rick & Roman,

Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:

> It seems that xscreensaver-auth needs to be setuid instead of the main
> xscreensaver binary. The screen-locker-service in xorg.scm sets the
> provided package setuid and sets the required pam configuration for the
> provided package. The problem is that the pam configuration needs to be set
> for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for
> xscreensaver-auth.
>
> Interestingly when I setuid xscreensaver-auth manually I run into the
> following when unlocking:
> Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown
> Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user
> (rhuijzer)
> Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth):
> authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=
>  user=rhuijzer
>
> But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path
> to unix_chkpwd helper <https://issues.guix.gnu.org/53468>.
>
> I don't know how to fix this elegantly, maybe create a dedicated service
> for xscreensaver instead of the standard screen-locker-service?

Yes, either that or a special case in ‘screen-locker-service’.

Could you give it a try?

Unfortunately I’m going to be away from keyboard for a bit; please do
ping here and/or on IRC if you don’t get a timely reply.

Thanks,
Ludo’.

bug#57071: Xscreensaver not working since latest patch

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 1842 bytes --]

Heya,

Ludovic Courtès <ludo@gnu.org> skribis:

> Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:
>
>> It seems that xscreensaver-auth needs to be setuid instead of the main
>> xscreensaver binary. The screen-locker-service in xorg.scm sets the
>> provided package setuid and sets the required pam configuration for the
>> provided package. The problem is that the pam configuration needs to be set
>> for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for
>> xscreensaver-auth.
>>
>> Interestingly when I setuid xscreensaver-auth manually I run into the
>> following when unlocking:
>> Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown
>> Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user
>> (rhuijzer)
>> Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth):
>> authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=
>>  user=rhuijzer
>>
>> But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path
>> to unix_chkpwd helper <https://issues.guix.gnu.org/53468>.
>>
>> I don't know how to fix this elegantly, maybe create a dedicated service
>> for xscreensaver instead of the standard screen-locker-service?
>
> Yes, either that or a special case in ‘screen-locker-service’.

With the attached patch I can make ‘xscreensaver-auth’ setuid-root
(which is optional: it’s needed to tweak OOM behavior) while keeping the
‘xscreensaver’ PAM entry that’s needed.

However, authentication’s still failing due to ‘unix_chkpwd’ not working
on current ‘master’ where <https://issues.guix.gnu.org/53468> is
missing.

Ideas on how to work around that?  It’s not clear to me how
‘unix_chkpwd’ ends up being invoked in the first place…

Thanks,
Ludo’.


[-- Attachment #2: Type: text/x-patch, Size: 6528 bytes --]

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 7be995a438..72698aa28a 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -1655,8 +1655,16 @@ (define-public xscreensaver
            (lambda _
              (substitute* '("driver/Makefile.in" "po/Makefile.in.in")
                (("@GTK_DATADIR@") "@datadir@")
-               (("@PO_DATADIR@") "@datadir@"))
-             #t)))
+               (("@PO_DATADIR@") "@datadir@"))))
+         (add-before 'configure 'adjust-default-path
+           (lambda _
+             ;; On Guix System, give higher precedence to the setuid-root
+             ;; 'xscreensaver-auth' program compared to the one that lives in
+             ;; $libexecdir.  This modifies code in the 'hack_environment'
+             ;; function, which changes $PATH.
+             (substitute* "driver/xscreensaver.c"
+               (("= DEFAULT_PATH_PREFIX")
+                "= \"/run/setuid-programs:\" DEFAULT_PATH_PREFIX")))))
        #:configure-flags '("--with-pam"
 
                            ;; Don't check /proc/interrupts in the build
@@ -1704,7 +1712,11 @@ (define-public xscreensaver
     (license (license:non-copyleft
               (string-append
                "http://metadata.ftp-master.debian.org/changelogs/"
-               "/main/x/xscreensaver/xscreensaver_5.36-1_copyright")))))
+               "/main/x/xscreensaver/xscreensaver_5.36-1_copyright")))
+    (properties
+     ;; Tell 'screen-locker-service' which program should be setuid-root.
+     '((screen-locker-setuid-program
+        . "libexec/xscreensaver/xscreensaver-auth")))))
 
 (define-public xssproxy
   (package
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 0cbd9aa53b..8f99c0f023 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2017 Andy Wingo <wingo@igalia.com>
-;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013-2017, 2019-2020, 2022 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2018, 2019 Timothy Sample <samplet@ngyro.com>
 ;;; Copyright © 2019 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
@@ -680,12 +680,26 @@ (define slim-service-type
 ;;;
 
 (define-record-type <screen-locker>
-  (screen-locker name program empty?)
+  (screen-locker name package empty?)
   screen-locker?
   (name    screen-locker-name)                     ;string
-  (program screen-locker-program)                  ;gexp
+  (package screen-locker-package)                  ;file-like
   (empty?  screen-locker-allows-empty-passwords?)) ;Boolean
 
+(define (screen-locker-setuid-program-name locker)
+  "Return the name of the setuid program of LOCKER.  It's usually LOCKER's
+name but it might differ in some cases--e.g., 'xscreensaver-auth' for
+XScreenSaver."
+  (let ((package (screen-locker-package locker)))
+    (or (and (package? package)
+             (assoc-ref (package-properties package)
+                        'screen-locker-setuid-program))
+        (string-append "bin/" (screen-locker-name locker)))))
+
+(define (screen-locker-setuid-program locker)
+  (file-append (screen-locker-package locker) "/"
+               (screen-locker-setuid-program-name locker)))
+
 (define screen-locker-pam-services
   (match-lambda
     (($ <screen-locker> name _ empty?)
@@ -693,7 +707,16 @@ (define screen-locker-pam-services
                              #:allow-empty-passwords? empty?)))))
 
 (define screen-locker-setuid-programs
-  (compose list file-like->setuid-program screen-locker-program))
+  (compose list file-like->setuid-program screen-locker-setuid-program))
+
+(define (screen-locker-profile-entries locker)
+  ;; If LOCKER's program is setuid (e.g., 'slock'), then no need to add it to
+  ;; the main profile since it's already in /run/setuid-programs.  Otherwise
+  ;; (e.g., 'xscreensaver-auth'), add it to the profile.
+  (if (string=? (screen-locker-setuid-program-name locker)
+                (string-append "bin/" (screen-locker-name locker)))
+      '()
+      (list (screen-locker-package locker))))
 
 (define screen-locker-service-type
   (service-type (name 'screen-locker)
@@ -701,7 +724,9 @@ (define screen-locker-service-type
                  (list (service-extension pam-root-service-type
                                           screen-locker-pam-services)
                        (service-extension setuid-program-service-type
-                                          screen-locker-setuid-programs)))
+                                          screen-locker-setuid-programs)
+                       (service-extension profile-service-type
+                                          screen-locker-profile-entries)))
                 (description
                  "Allow the given program to be used as a screen locker for
 the graphical server by making it setuid-root, so it can authenticate users,
@@ -721,8 +746,7 @@ (define* (screen-locker-service package
 
 makes the good ol' XlockMore usable."
   (service screen-locker-service-type
-           (screen-locker program
-                          (file-append package "/bin/" program)
+           (screen-locker program package
                           allow-empty-passwords?)))
 
 \f
diff --git a/gnu/system/examples/lightweight-desktop.tmpl b/gnu/system/examples/lightweight-desktop.tmpl
index d4330ecc8e..1ab6ecd4d2 100644
--- a/gnu/system/examples/lightweight-desktop.tmpl
+++ b/gnu/system/examples/lightweight-desktop.tmpl
@@ -3,9 +3,9 @@
 ;; environments.
 
 (use-modules (gnu) (gnu system nss))
-(use-service-modules desktop)
+(use-service-modules desktop xorg)
 (use-package-modules bootloaders certs emacs emacs-xyz ratpoison suckless wm
-                     xorg)
+                     xdisorg xorg)
 
 (operating-system
   (host-name "antelope")
@@ -53,7 +53,9 @@
 
   ;; Use the "desktop" services, which include the X11
   ;; log-in service, networking with NetworkManager, and more.
-  (services %desktop-services)
+  (services (append (list (screen-locker-service slock)
+                          (screen-locker-service xscreensaver))
+                    %desktop-services))
 
   ;; Allow resolution of '.local' host names with mDNS.
   (name-service-switch %mdns-host-lookup-nss))

bug#57071: Xscreensaver not working since latest patch

[Tory S. Anderson]

I hit the same error. I began with the error and the fix from https://issues.guix.gnu.org/23286 and then put xscreensaver into my screenlock section of my config:

--8<---------------cut here---------------start------------->8---
(list (service gnome-desktop-service-type)
	   ;(screen-locker-service xscreensaver) ;; this initializes, but shouts a "do not run as root" error instead of running my images, and doesn't accept my password
           ;;; other stuff
           )
--8<---------------cut here---------------end--------------->8---

Now I have 'xscreensaver: don't login as root' on my screensaver, and no images. As mentioned earlier, only the xscreensaver-auth program should be setuid, not the whole thing, apparently.