From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 8IITBsC9DGORKwAAbAwnHQ (envelope-from ) for ; Mon, 29 Aug 2022 15:23:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id YLgOBsC9DGM4DQAA9RJhRA (envelope-from ) for ; Mon, 29 Aug 2022 15:23:12 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9CF381A4AE for ; Mon, 29 Aug 2022 15:23:11 +0200 (CEST) Received: from localhost ([::1]:46098 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oSejO-0005P3-Dv for larch@yhetil.org; Mon, 29 Aug 2022 09:23:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47962) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oSejG-0005OH-Jg for bug-guix@gnu.org; Mon, 29 Aug 2022 09:23:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42417) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oSejG-0006n2-9a for bug-guix@gnu.org; Mon, 29 Aug 2022 09:23:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oSejG-0008Gy-3r for bug-guix@gnu.org; Mon, 29 Aug 2022 09:23:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#57071: Xscreensaver not working since latest patch Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 29 Aug 2022 13:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57071 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Rick Huijzer Cc: 57071@debbugs.gnu.org, Roman Scherer Received: via spool by 57071-submit@debbugs.gnu.org id=B57071.166177937231768 (code B ref 57071); Mon, 29 Aug 2022 13:23:02 +0000 Received: (at 57071) by debbugs.gnu.org; 29 Aug 2022 13:22:52 +0000 Received: from localhost ([127.0.0.1]:60399 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oSej5-0008GK-QK for submit@debbugs.gnu.org; Mon, 29 Aug 2022 09:22:52 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58234) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oSej4-0008Fw-1N for 57071@debbugs.gnu.org; Mon, 29 Aug 2022 09:22:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:54770) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oSeiy-0006l4-54; Mon, 29 Aug 2022 09:22:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=3R5ns5sUKv9Zwkyupm/Cw5pPEtVvc4qzYTEz8936O1M=; b=q9cIi9ZcsXcOTxglTgAe N8vSA8oRDmTzoyetL0aUkwLDu/qpOiBJp0h7FhqJIlFEKuhbYvmtMJvuOivJdJ/VfYxgRMXprmnRH Z8l5Oqhu9FcyCBAIcdkFHvSj+wVxRbBxcpxBnH4Myz/mvOnrDwVK/x3qkD36+EqP0CNJCSSGV5zGZ J8gWNTlo1iRprSYPOB88hn6N+huXv0EaxTApTfdrxWmMNQdqmxBYhCDlSANIYz3DeGyj4vgqY0aaF IToddQ3pbaeLubGaLd5KJCACGJ/sJpx8sRyo8/NYj1vtXGSSbQy8/Y9DAF/dMcC05XnTJe/Sdurvl BTDpoSFuS8e3tA==; Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=45442 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oSeix-0002MO-MZ; Mon, 29 Aug 2022 09:22:43 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87zggd14vh.fsf@gnu.org> <87bksstvs0.fsf@burningswell.com> <87v8qyubie.fsf@gnu.org> Date: Mon, 29 Aug 2022 15:22:40 +0200 In-Reply-To: <87v8qyubie.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Thu, 11 Aug 2022 15:59:21 +0200") Message-ID: <87a67n6v6n.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1661779391; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=bu69thGFeZ25kcBbFXo5tc0Qx++Bigy476m47qX3dfQ=; b=H1IyIBoi1sMLipWQcQYxkwRv5HOXNXd4HtnMnyOsgy9vj0SnACnholrjGF/Murjphmh+Rb iATse8KmihkCnWt6TWxr9nG7xyhBp3spgZ/titSReMUAcHSTIhnxW1jjRtUhLu2hSPYAgt SxDFuskksh42qv5rJqgpPCrx6NVZF93GS4ak15LwhTrBqmYsL1P4sVwSyt3n037S48cmNW aHj77ABkADIX8zflLvFFm53sOf2k1iiLM77Tw36lv+94eijcGqBo7v42Mj2J4Ihgab0YBq Wm9fuxSwmGKw3cM12NJNTO2UDpi0QFrBpRPQ9B9oZGig9O3vFTv27OVkPSlNIw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1661779391; a=rsa-sha256; cv=none; b=eVSdwyVIMIuqzGC4zGrSaydbj/T7rTChytnGc39Jl9g8mxZ0C4lvBM1Gtw9mYa98fnQpT4 Ve3U0UtTJCTLbgfzn4EmFXxisveJLf1vwYVPmo8Wd7GDYyGsb8K5tP8FYVXBCCDxd0/S/x S5VggkKr4GWi5MTL+4N2Xv2688+ZxctLKstUsKyc4oh0vZKstT5CIlVe01f17R500GKDsw FEN3Z+gGO5YHZlzDuWMjUfc3JFzZuBzpLRkg/o8i+4CLPbsUP44jZVf7uYewVLkWPS/p3K yrMvxNofTkwhMJtv1CSHBQR1dOLJifRwuQSqzTOQa+mcQHEmGqhzrI32JYW0Dg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=gnu.org header.s=fencepost-gnu-org header.b=q9cIi9Zc; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.80 Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=gnu.org header.s=fencepost-gnu-org header.b=q9cIi9Zc; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 9CF381A4AE X-Spam-Score: -3.80 X-Migadu-Scanner: scn0.migadu.com X-TUID: qwGuf6/sxDnQ --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Heya, Ludovic Court=C3=A8s skribis: > Rick Huijzer skribis: > >> It seems that xscreensaver-auth needs to be setuid instead of the main >> xscreensaver binary. The screen-locker-service in xorg.scm sets the >> provided package setuid and sets the required pam configuration for the >> provided package. The problem is that the pam configuration needs to be = set >> for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for >> xscreensaver-auth. >> >> Interestingly when I setuid xscreensaver-auth manually I run into the >> following when unlocking: >> Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown >> Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for u= ser >> (rhuijzer) >> Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth): >> authentication failure; logname=3D uid=3D1000 euid=3D1000 tty=3D:0 ruser= =3D rhost=3D >> user=3Drhuijzer >> >> But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change pa= th >> to unix_chkpwd helper . >> >> I don't know how to fix this elegantly, maybe create a dedicated service >> for xscreensaver instead of the standard screen-locker-service? > > Yes, either that or a special case in =E2=80=98screen-locker-service=E2= =80=99. With the attached patch I can make =E2=80=98xscreensaver-auth=E2=80=99 setu= id-root (which is optional: it=E2=80=99s needed to tweak OOM behavior) while keepin= g the =E2=80=98xscreensaver=E2=80=99 PAM entry that=E2=80=99s needed. However, authentication=E2=80=99s still failing due to =E2=80=98unix_chkpwd= =E2=80=99 not working on current =E2=80=98master=E2=80=99 where is missing. Ideas on how to work around that? It=E2=80=99s not clear to me how =E2=80=98unix_chkpwd=E2=80=99 ends up being invoked in the first place=E2= =80=A6 Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm index 7be995a438..72698aa28a 100644 --- a/gnu/packages/xdisorg.scm +++ b/gnu/packages/xdisorg.scm @@ -1655,8 +1655,16 @@ (define-public xscreensaver (lambda _ (substitute* '("driver/Makefile.in" "po/Makefile.in.in") (("@GTK_DATADIR@") "@datadir@") - (("@PO_DATADIR@") "@datadir@")) - #t))) + (("@PO_DATADIR@") "@datadir@")))) + (add-before 'configure 'adjust-default-path + (lambda _ + ;; On Guix System, give higher precedence to the setuid-root + ;; 'xscreensaver-auth' program compared to the one that lives= in + ;; $libexecdir. This modifies code in the 'hack_environment' + ;; function, which changes $PATH. + (substitute* "driver/xscreensaver.c" + (("=3D DEFAULT_PATH_PREFIX") + "=3D \"/run/setuid-programs:\" DEFAULT_PATH_PREFIX"))))) #:configure-flags '("--with-pam" =20 ;; Don't check /proc/interrupts in the build @@ -1704,7 +1712,11 @@ (define-public xscreensaver (license (license:non-copyleft (string-append "http://metadata.ftp-master.debian.org/changelogs/" - "/main/x/xscreensaver/xscreensaver_5.36-1_copyright"))))) + "/main/x/xscreensaver/xscreensaver_5.36-1_copyright"))) + (properties + ;; Tell 'screen-locker-service' which program should be setuid-root. + '((screen-locker-setuid-program + . "libexec/xscreensaver/xscreensaver-auth"))))) =20 (define-public xssproxy (package diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 0cbd9aa53b..8f99c0f023 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2017 Andy Wingo -;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Cour= t=C3=A8s +;;; Copyright =C2=A9 2013-2017, 2019-2020, 2022 Ludovic Court=C3=A8s ;;; Copyright =C2=A9 2015 Sou Bunnbu ;;; Copyright =C2=A9 2018, 2019 Timothy Sample ;;; Copyright =C2=A9 2019 Jan (janneke) Nieuwenhuizen @@ -680,12 +680,26 @@ (define slim-service-type ;;; =20 (define-record-type - (screen-locker name program empty?) + (screen-locker name package empty?) screen-locker? (name screen-locker-name) ;string - (program screen-locker-program) ;gexp + (package screen-locker-package) ;file-like (empty? screen-locker-allows-empty-passwords?)) ;Boolean =20 +(define (screen-locker-setuid-program-name locker) + "Return the name of the setuid program of LOCKER. It's usually LOCKER's +name but it might differ in some cases--e.g., 'xscreensaver-auth' for +XScreenSaver." + (let ((package (screen-locker-package locker))) + (or (and (package? package) + (assoc-ref (package-properties package) + 'screen-locker-setuid-program)) + (string-append "bin/" (screen-locker-name locker))))) + +(define (screen-locker-setuid-program locker) + (file-append (screen-locker-package locker) "/" + (screen-locker-setuid-program-name locker))) + (define screen-locker-pam-services (match-lambda (($ name _ empty?) @@ -693,7 +707,16 @@ (define screen-locker-pam-services #:allow-empty-passwords? empty?))))) =20 (define screen-locker-setuid-programs - (compose list file-like->setuid-program screen-locker-program)) + (compose list file-like->setuid-program screen-locker-setuid-program)) + +(define (screen-locker-profile-entries locker) + ;; If LOCKER's program is setuid (e.g., 'slock'), then no need to add it= to + ;; the main profile since it's already in /run/setuid-programs. Otherwi= se + ;; (e.g., 'xscreensaver-auth'), add it to the profile. + (if (string=3D? (screen-locker-setuid-program-name locker) + (string-append "bin/" (screen-locker-name locker))) + '() + (list (screen-locker-package locker)))) =20 (define screen-locker-service-type (service-type (name 'screen-locker) @@ -701,7 +724,9 @@ (define screen-locker-service-type (list (service-extension pam-root-service-type screen-locker-pam-services) (service-extension setuid-program-service-type - screen-locker-setuid-programs))) + screen-locker-setuid-programs) + (service-extension profile-service-type + screen-locker-profile-entries))) (description "Allow the given program to be used as a screen locker for the graphical server by making it setuid-root, so it can authenticate user= s, @@ -721,8 +746,7 @@ (define* (screen-locker-service package =20 makes the good ol' XlockMore usable." (service screen-locker-service-type - (screen-locker program - (file-append package "/bin/" program) + (screen-locker program package allow-empty-passwords?))) =20 diff --git a/gnu/system/examples/lightweight-desktop.tmpl b/gnu/system/exam= ples/lightweight-desktop.tmpl index d4330ecc8e..1ab6ecd4d2 100644 --- a/gnu/system/examples/lightweight-desktop.tmpl +++ b/gnu/system/examples/lightweight-desktop.tmpl @@ -3,9 +3,9 @@ ;; environments. =20 (use-modules (gnu) (gnu system nss)) -(use-service-modules desktop) +(use-service-modules desktop xorg) (use-package-modules bootloaders certs emacs emacs-xyz ratpoison suckless = wm - xorg) + xdisorg xorg) =20 (operating-system (host-name "antelope") @@ -53,7 +53,9 @@ =20 ;; Use the "desktop" services, which include the X11 ;; log-in service, networking with NetworkManager, and more. - (services %desktop-services) + (services (append (list (screen-locker-service slock) + (screen-locker-service xscreensaver)) + %desktop-services)) =20 ;; Allow resolution of '.local' host names with mDNS. (name-service-switch %mdns-host-lookup-nss)) --=-=-=--