From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id mGsiNMul82JjLgEAbAwnHQ (envelope-from ) for ; Wed, 10 Aug 2022 14:34:19 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id sFARNMul82IPNwAA9RJhRA (envelope-from ) for ; Wed, 10 Aug 2022 14:34:19 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 687AB28D16 for ; Wed, 10 Aug 2022 14:34:19 +0200 (CEST) Received: from localhost ([::1]:55952 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oLkuf-0000fq-GJ for larch@yhetil.org; Wed, 10 Aug 2022 08:34:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41998) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oLkre-0006nk-DZ for bug-guix@gnu.org; Wed, 10 Aug 2022 08:31:10 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57033) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oLkrX-0003RY-H6 for bug-guix@gnu.org; Wed, 10 Aug 2022 08:31:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oLkrX-00084k-9u for bug-guix@gnu.org; Wed, 10 Aug 2022 08:31:03 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#57071: Xscreensaver not working since latest patch Resent-From: Rick Huijzer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 10 Aug 2022 12:31:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57071 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Roman Scherer , ludo@gnu.org, 57071@debbugs.gnu.org Received: via spool by 57071-submit@debbugs.gnu.org id=B57071.166013464330959 (code B ref 57071); Wed, 10 Aug 2022 12:31:03 +0000 Received: (at 57071) by debbugs.gnu.org; 10 Aug 2022 12:30:43 +0000 Received: from localhost ([127.0.0.1]:46759 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oLkrC-00083C-VP for submit@debbugs.gnu.org; Wed, 10 Aug 2022 08:30:43 -0400 Received: from mail-ej1-f47.google.com ([209.85.218.47]:33648) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oLkIU-0006mq-AZ for 57071@debbugs.gnu.org; Wed, 10 Aug 2022 07:54:52 -0400 Received: by mail-ej1-f47.google.com with SMTP id uj29so27372179ejc.0 for <57071@debbugs.gnu.org>; Wed, 10 Aug 2022 04:54:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc; bh=hDZCOTv2BfznM9ThgpdVZ+yd+pDuUW4cUZlEa0ErZSk=; b=qYB6EJzRaBnFLulCwOGOhQIiX3XGl0uyoDyRxRQUsSNodYdvVJ3Albty7JZgFJMz28 94wZhcRF7DiyyAzJv3MmSs0gqPokS8exaHQCf1jEMx8Wyhs/p5jY4hWoPgfEMR8bou2V K7p8xaXjcYK5DBRHVwPOCTyKi1E1uySz1EN3kXvzkgJ3ZyMjcK0ouBuh4Y95Bl31KEkf 8PMrRXU6XSdyDI4mgM8D32rzSO4icyY+KPWKlV2ksmdzCtiv4x8aP/zY87rc9JYMaCvm +yEpkd0wLKXpjKnQl3XiOQ4zy8Tdtahlit8lGj/Vbm8bleBh/zrt4VcKE6pnMSwHyIU+ J1UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc; bh=hDZCOTv2BfznM9ThgpdVZ+yd+pDuUW4cUZlEa0ErZSk=; b=4aVIlcAeZjcu9Z1leFqPoQz7KTmm7RPsaSqHgSpjAuEQWiTHhub2DH7Kgn9zkR++zm DGHUtEgxEx/m383s1rX/tnF5fBlz9Bl1OSQ3OwkdFovi7VcVOrxW4k7kPbgVRs6huYhs M5JTplUi57OwJEbUZGUHU8pcop1J0EV8HYM2rFkG1Q63EGw1yWO2OFCpi7L29uwhCKM1 B0GrV9R/WZ8wPHBxh4g012SNG4Jnqm9I68Fp+cREpcTTHTPOyxRwJN1VjB+x+eqKHZO2 keLKn2iC0HTwJH6hkGUusz39cbA3ENqszVNVnniPruvJGqJjNpXPLkGxKY7OXAJVfklz UWpg== X-Gm-Message-State: ACgBeo2koIqOSVOaqdj8kwdm8pYnIDhJa67T2+5tKLmHlzHiS2DLozwM sEJVYFVOCBK/0N5hqHaRe9rTpZbqnkx3IW9SrKM= X-Google-Smtp-Source: AA6agR66r6wuSqKVYHXW+R8LfE9hgk340TKvuzccjH/9K2rcauQdfePNkCf4TwLBZ3z4spESw500OxwToNzTYI4z6Ds= X-Received: by 2002:a17:906:8461:b0:730:a43a:9981 with SMTP id hx1-20020a170906846100b00730a43a9981mr19735301ejc.552.1660132484334; Wed, 10 Aug 2022 04:54:44 -0700 (PDT) MIME-Version: 1.0 References: <87zggd14vh.fsf@gnu.org> <87bksstvs0.fsf@burningswell.com> In-Reply-To: <87bksstvs0.fsf@burningswell.com> From: Rick Huijzer Date: Wed, 10 Aug 2022 13:54:33 +0200 Message-ID: Content-Type: multipart/alternative; boundary="00000000000002486005e5e1b735" X-Mailman-Approved-At: Wed, 10 Aug 2022 08:30:40 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1660134859; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=hDZCOTv2BfznM9ThgpdVZ+yd+pDuUW4cUZlEa0ErZSk=; b=Isui0xDTQJ2sPAarO+tEopmy2bjKr0zgScFziAl27Q6Xe42L1COVONugWKlDGPr+xrw3Sg HpHUVW8NZREhe4OjHDdM6/+JnyK3P2EC9VpNP+JbD+Hs447coVFHET2XAjQG0Euw1wVNb9 /azb2E+9B7W2+Ax7EtyZdarjPKigCXeHimo3b+eNumh2QX4JfVGPrAsY22NvSO0XhoZfxZ 5CfCl9mcXpWgG/nyPjmg2SvWuH3BQu4GhFbYDnNRTEIXH9RlMU6o9MKG0Fq8R5VQGk2O3q YukPh4tfrfIjaadtSB/Ii6ftUojKTlcv+t9aEBO+4tDPVlL5M/4heatvRT39UA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1660134859; a=rsa-sha256; cv=none; b=N/Q4ZbegmFaWS44dAxyaeS/sBSGV9K+++7QN14BU0AX/5/ltDl4kRZ+k2YLEEFA3RbAFTQ buZRDxqZQGz5kSICXOBrMaMQYw/xtTppUiGgFbrbUQl7cFSiC88Dq7BmdAXS5BfOMXMle3 UyYhjrNZgZw9e2btc4rDTH1nmJxunISlYJRpw4i489uKJ8VBa4bE0I5BXa4FxQpekbOwND f4ca76RGe8zwTJfSCOdSmFe8WV6WawwxzWWoTneR7UlOvzREX/Fx0ZdqKfgUPt4DYFkvgy LOnJEfX9FeAGZFJP/KC8Dd017/xNn03dBXEXL9kYGBNsOK/AK0Y7ABXSGBrOiQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=qYB6EJzR; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 7.61 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=qYB6EJzR; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 687AB28D16 X-Spam-Score: 7.61 X-Migadu-Scanner: scn1.migadu.com X-TUID: 6QTqUi+inyK9 --00000000000002486005e5e1b735 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Roman and Ludo, It seems that xscreensaver-auth needs to be setuid instead of the main xscreensaver binary. The screen-locker-service in xorg.scm sets the provided package setuid and sets the required pam configuration for the provided package. The problem is that the pam configuration needs to be set for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for xscreensaver-auth. Interestingly when I setuid xscreensaver-auth manually I run into the following when unlocking: Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user (rhuijzer) Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth): authentication failure; logname=3D uid=3D1000 euid=3D1000 tty=3D:0 ruser=3D= rhost=3D user=3Drhuijzer But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper . I don't know how to fix this elegantly, maybe create a dedicated service for xscreensaver instead of the standard screen-locker-service? Thanks, Op wo 10 aug. 2022 om 09:14 schreef Roman Scherer < roman.scherer@burningswell.com>: > > Hi Ludo and Rick, > > sorry for the trouble. I'm running xscreensaver on a foreign distro and > did not notice this. Probably because somehow my screen wasn't locked, > but still showing random screensavers. > > However, now that I tried the `xscreensaver-command -lock` command I see > a dialog with a "Password initialization failed" message. > > The xscreensave logs also show this: > > xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission > denied > xscreensaver-auth: 06:45:55: To prevent the kernel from randomly > unlocking > xscreensaver-auth: 06:45:55: your screen via the out-of-memory killer, > xscreensaver-auth: 06:45:55: "xscreensaver-auth" must be setuid root. > xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does > not exist. > xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to > work. > xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does > not exist. > xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to > work. > > When the dialog popped up, I had to switch to a terminal and kill > xscreensaver to be able to access my desktop again. > > Should we revert it, until we figured out what's necesarry to get this > working again? > > r0man > > Ludovic Court=C3=A8s writes: > > > Hi Rick, > > > > Rick Huijzer skribis: > > > >> The latest xscreensaver patch > rendered > >> xscreensaver unusable on my systems. When I try to unlock my screen I = am > >> greeted with the message 'xscreensaver: don't login as root', even > though I > >> don't invoke it as root. > >> > >> > >> $xscreensaver-command -lock > >> Aug 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: > 08:45:22: > >> 1: running as root: not launching hacks. > >> Aug 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: > locking > >> Aug 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: > 09:10:32: > >> 0: running as root: not launching hacks. > >> > >> When I remove the > >> (screen-locker-service xscreensaver) > >> I run into all kinds of set-uid problems. > > > > Sorry about that, I built it during review but did not actually run it. > > > > One effect of =E2=80=98screen-locker-service=E2=80=99 is to make the pr= ogram setuid-root > > so that it can authenticate users. It would seem that something change= d > > in xscreensaver in that area; quoth =E2=80=98driver/subprocs.c=E2=80=99= : > > > > if (getuid() =3D=3D (uid_t) 0 || geteuid() =3D=3D (uid_t) 0) > > /* Prior to XScreenSaver 6, if running as root, we would change > the > > effective uid to the user "nobody" or "daemon" or "noaccess"= , > > but even that was just encouraging bad behavior. Don't log = in > > as root. */ > > { > > fprintf (stderr, "%s: %d: running as root: not launching > hacks.\n", > > blurb(), ssi->number); > > screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as > root."); > > goto DONE; > > } > > > > OTOH the =E2=80=98disavow_privileges=E2=80=99 function is supposed to d= rop root > > privileges early on. > > > > So I=E2=80=99m not sure how it=E2=80=99s supposed to be run. R0man, id= eas? > > > > Thanks, > > Ludo=E2=80=99. > --=20 Met vriendelijke groet, Rick Huijzer --00000000000002486005e5e1b735 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Roman and Ludo,

It seems that x= screensaver-auth needs to be setuid instead of the main xscreensaver binary= . The screen-locker-service in xorg.scm sets the provided package setuid an= d sets the required pam configuration for the provided package. The problem= is that the pam configuration needs to be set for xscreensaver (/etc/pam.d= /xscreensaver) and setuid needs to be set for xscreensaver-auth.=C2=A0

Interestingly when I setuid xscreensaver-auth manually= I run into the following when unlocking:
Aug 10 13:35:02 localho= st unix_chkpwd[2197]: check pass; user unknown
Aug 10 13:35:02 localhost= unix_chkpwd[2197]: password check failed for user (rhuijzer)
Aug 10 13:= 35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth): authenticat= ion failure; logname=3D uid=3D1000 euid=3D1000 tty=3D:0 ruser=3D rhost=3D = =C2=A0user=3Drhuijzer

But this=C2=A0might=C2= =A0be fixed in time by [RFC P= ATCH] gnu: linux-pam: Change path to unix_chkpwd helper.=C2=A0

I don't know how to fix this elegantly, maybe create a= dedicated service for xscreensaver instead of=C2=A0the standard screen-loc= ker-service?=C2=A0

Thanks,

Op wo 10 aug. 2022 om 09= :14 schreef Roman Scherer <roman.scherer@burningswell.com>:

Hi Ludo and Rick,

sorry for the trouble. I'm running xscreensaver on a foreign distro and=
did not notice this. Probably because somehow my screen wasn't locked,<= br> but still showing random screensavers.

However, now that I tried the `xscreensaver-command -lock` command I see a dialog with a "Password initialization failed" message.

The xscreensave logs also show this:

xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission den= ied
xscreensaver-auth: 06:45:55:=C2=A0 =C2=A0To prevent the kernel from randoml= y unlocking
xscreensaver-auth: 06:45:55:=C2=A0 =C2=A0your screen via the out-of-memory = killer,
xscreensaver-auth: 06:45:55:=C2=A0 =C2=A0"xscreensaver-auth" must= be setuid root.
xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does not= exist.
xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to wo= rk.
xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does not= exist.
xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to wo= rk.

When the dialog popped up, I had to switch to a terminal and kill
xscreensaver to be able to access my desktop again.

Should we revert it, until we figured out what's necesarry to get this<= br> working again?

r0man

Ludovic Court=C3=A8s <= ludo@gnu.org> writes:

> Hi Rick,
>
> Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:
>
>> The latest xscreensaver patch <https://issues.guix.gnu.= org/56597> rendered
>> xscreensaver unusable on my systems. When I try to unlock my scree= n I am
>> greeted with the message 'xscreensaver: don't login as roo= t', even though I
>> don't invoke it as root.
>>
>>
>> $xscreensaver-command -lock
>> Aug=C2=A0 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gf= x: 08:45:22:
>> 1: running as root: not launching hacks.
>> Aug=C2=A0 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-co= mmand: locking
>> Aug=C2=A0 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gf= x: 09:10:32:
>> 0: running as root: not launching hacks.
>>
>> When I remove the
>> (screen-locker-service xscreensaver)
>> I run into all kinds of set-uid problems.
>
> Sorry about that, I built it during review but did not actually run it= .
>
> One effect of =E2=80=98screen-locker-service=E2=80=99 is to make the p= rogram setuid-root
> so that it can authenticate users.=C2=A0 It would seem that something = changed
> in xscreensaver in that area; quoth =E2=80=98driver/subprocs.c=E2=80= =99:
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0if (getuid() =3D=3D (uid_t) 0 || geteuid() = =3D=3D (uid_t) 0)
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/* Prior to XScreenSaver 6, if runnin= g as root, we would change the
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 effective uid to the user &qu= ot;nobody" or "daemon" or "noaccess",
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 but even that was just encour= aging bad behavior.=C2=A0 Don't log in
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 as root. */
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0{
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0fprintf (stderr, "%s: %d:= running as root: not launching hacks.\n",
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 b= lurb(), ssi->number);
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0screenhack_obituary (ssi, &quo= t;", "XScreenSaver: Don't log in as root.");
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0goto DONE;
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}
>
> OTOH the =E2=80=98disavow_privileges=E2=80=99 function is supposed to = drop root
> privileges early on.
>
> So I=E2=80=99m not sure how it=E2=80=99s supposed to be run.=C2=A0 R0m= an, ideas?
>
> Thanks,
> Ludo=E2=80=99.


--
Met vriendelijke groet,=

Rick Huijzer

--00000000000002486005e5e1b735--