swaylock does not accept my correct password and fails to unlock

swaylock does not accept my correct password and fails to unlock

[Oleander via]

Hello,
has anyone had any problem with swaylock/swaylock-effects recently? They don't accept my correct password when trying to unlock.

I use the following lockscreen.sh and system.scm:

@example
#!/bin/sh

# Times the screen off and puts it to background
swayidle \
timeout 60 'swaymsg "output * dpms off"' \
resume 'swaymsg "output * dpms on"' &

# Locks the screen immediately
swaylock --clock --indicator --screenshots --effect-scale 0.4 --effect-vignette 0.2:0.5 --effect-blur 4x2 --datestr "%a %e.%m.%Y" --timestr "%k:%M"

# Kills last background task so idle timer doesn't keep running
kill %%
@end example

@example
;; Guix config with swaywm, encrypted with LUKS

(use-modules
(gnu) (gnu system nss) (gnu system setuid))
(use-service-modules
dbus desktop networking sddm sound ssh)
(use-package-modules
certs
compression
disk
emacs
finance
fonts
fontutils
freedesktop
glib
games
gnome
gnupg
gnuzilla
gtk
haskell-xyz
image
linux
package-management
password-utils
pulseaudio
rsync
ruby
ssh
terminals
tex
texinfo
version-control
wm)

(operating-system
(host-name "t420")
(timezone "Europe/Rome")
(locale "en_US.utf8")

;; Keyboard layout.
(keyboard-layout (keyboard-layout "us"))

;; Bootloader
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(terminal-outputs '(console))
(targets (list "/dev/sda"))
(keyboard-layout keyboard-layout)))

;; Specify a mapped device for the encrypted root partition.
;; The UUID is that returned by 'cryptsetup luksUUID'.
(mapped-devices
(list (mapped-device
(source (uuid "8022876e-e0cc-4ec5-8363-0f07c590cdbc"))
(targets (list "guix-root"))
(type luks-device-mapping))))

(file-systems
(append
(list (file-system
(device (file-system-label "guix-root"))
(mount-point "/")
(type "ext4")
(dependencies mapped-devices)))
%base-file-systems))

(swap-devices (list
(swap-space (target "/swapfile"))))

;; Define users and groups.
(users
(cons (user-account
(name "oleander")
(comment "")
(group "users")
(home-directory "/home/oleander")
(supplementary-groups '("wheel" "netdev"
"audio" "video" "input")))
%base-user-accounts))

;; Sudoers
(sudoers-file
(plain-file "sudoers" "\
%root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: /run/current-system/profile/sbin/reboot\n"))

;; This is where we specify system-wide packages.
(packages
(append
(list
adwaita-icon-theme
alacritty
at-spi2-core
dbus
emacs
font-awesome
fontconfig
font-dejavu
font-gnu-unifont
fzf
git
gnupg
grim
gtypist
icecat
keepassxc
ledger
nss-certs
openssh-sans-x
pandoc
parted
pass-otp
password-store
pavucontrol
pinentry
pulseaudio
rsync
ruby-asciidoctor
slurp
stow
sway
swayidle
swaylock-effects
texinfo
texlive-base
unzip
waybar
xdg-utils
zip)
%base-packages))

;; Some programs need to run with “root” privileges, even when they are launched by unprivileged users
(setuid-programs (cons*
(setuid-program
(program
(file-append swaylock-effects "/bin/swaylock")))
%setuid-programs))

;; Services
(services
(cons*
(service alsa-service-type
(alsa-configuration
(pulseaudio? #t)))
(service dbus-root-service-type)
(service elogind-service-type)
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)
(port-number 22)
(password-authentication? #f)
(permit-root-login 'prohibit-password)
(authorized-keys
`(("oleander" ,(local-file "/home/oleander/.ssh/authorized_keys"))))))
(service polkit-service-type)
(service sddm-service-type
(sddm-configuration
(auto-login-user "oleander")
(display-server "wayland")))
;; Static networking for one NIC, IPv4-only.
(service static-networking-service-type
(list (static-networking
(addresses
(list (network-address
(device "wlp1s0")
(value "192.168.1.200/24"))))
(routes
(list (network-route
(destination "default")
(gateway "192.168.1.1"))))
(name-servers '("1.1.1.1" "1.0.0.1")))))
(service wpa-supplicant-service-type
(wpa-supplicant-configuration
(config-file "/etc/wpa-supplicant/wpa-supplicant.conf")
(interface "wlp1s0")))
%base-services))

;; Allow resolution of '.local' host names with mDNS.
(name-service-switch %mdns-host-lookup-nss))
@end example

Also, do you have any suggestion to improve my code? One thing I never figured out is how to log in to the system automatically without a display manager.

I found this config https://gitlab.com/mbakke/guix-sway-example/-/tree/master but I don't know if it still works and I need some time to study/understand the code before merging some of it into my config without creating a mess.

Thank you

Re: swaylock does not accept my correct password and fails to unlock

[Remco van 't Veer]

Hi,

This looks like a problem I had in June of this year.  Something to do
with swaylock needing pam stuff instead of setuid.  I fixed it by
removing the setuid on swaylock and adding the following service:

  (define swaylock-service-type
    (service-type
     (name 'swaylock)
     (description "Swaylock needs /etc/pam.d/swaylock configuration.")
     (extensions
      (list
       (service-extension pam-root-service-type
                          (lambda (_)
                            (list
                             (pam-service
                              (name "swaylock")
                              (auth
                               (list
                                (pam-entry (control "include")
                                           (module "login"))))))))))
     (default-value #f)))

This works for me but I am not sure it's still needed.  I am pretty sure
swaylock does not like to be setuid anymore.

A way to figure out what is wrong on your system would be to just run
swaylock from something like xterm and capture all output somewhere to
review later.  It will probably utter some complaints to stdout or
stderr.

Cheers,
Remco


2023/12/21, Oleander via:

> Hello,
> has anyone had any problem with swaylock/swaylock-effects recently?
> They don't accept my correct password when trying to unlock.
>
> I use the following lockscreen.sh and system.scm:
>
> @example
> #!/bin/sh
>
> # Times the screen off and puts it to background
> swayidle \
> timeout 60 'swaymsg "output * dpms off"' \
> resume 'swaymsg "output * dpms on"' &
>
> # Locks the screen immediately
> swaylock --clock --indicator --screenshots --effect-scale 0.4
> --effect-vignette 0.2:0.5 --effect-blur 4x2 --datestr "%a %e.%m.%Y"
> --timestr "%k:%M"
>
> # Kills last background task so idle timer doesn't keep running
> kill %%
> @end example
>
> @example
> ;; Guix config with swaywm, encrypted with LUKS
>
> (use-modules
> (gnu) (gnu system nss) (gnu system setuid))
> (use-service-modules
> dbus desktop networking sddm sound ssh)
> (use-package-modules
> certs
> compression
> disk
> emacs
> finance
> fonts
> fontutils
> freedesktop
> glib
> games
> gnome
> gnupg
> gnuzilla
> gtk
> haskell-xyz
> image
> linux
> package-management
> password-utils
> pulseaudio
> rsync
> ruby
> ssh
> terminals
> tex
> texinfo
> version-control
> wm)
>
> (operating-system
> (host-name "t420")
> (timezone "Europe/Rome")
> (locale "en_US.utf8")
>
> ;; Keyboard layout.
> (keyboard-layout (keyboard-layout "us"))
>
> ;; Bootloader
> (bootloader (bootloader-configuration
> (bootloader grub-bootloader)
> (terminal-outputs '(console))
> (targets (list "/dev/sda"))
> (keyboard-layout keyboard-layout)))
>
> ;; Specify a mapped device for the encrypted root partition.
> ;; The UUID is that returned by 'cryptsetup luksUUID'.
> (mapped-devices
> (list (mapped-device
> (source (uuid "8022876e-e0cc-4ec5-8363-0f07c590cdbc"))
> (targets (list "guix-root"))
> (type luks-device-mapping))))
>
> (file-systems
> (append
> (list (file-system
> (device (file-system-label "guix-root"))
> (mount-point "/")
> (type "ext4")
> (dependencies mapped-devices)))
> %base-file-systems))
>
> (swap-devices (list
> (swap-space (target "/swapfile"))))
>
> ;; Define users and groups.
> (users
> (cons (user-account
> (name "oleander")
> (comment "")
> (group "users")
> (home-directory "/home/oleander")
> (supplementary-groups '("wheel" "netdev"
> "audio" "video" "input")))
> %base-user-accounts))
>
> ;; Sudoers
> (sudoers-file
> (plain-file "sudoers" "\
> %root ALL=(ALL) ALL
> %wheel ALL=(ALL) ALL
> %wheel ALL=(ALL) NOPASSWD: /run/current-system/profile/sbin/reboot\n"))
>
> ;; This is where we specify system-wide packages.
> (packages
> (append
> (list
> adwaita-icon-theme
> alacritty
> at-spi2-core
> dbus
> emacs
> font-awesome
> fontconfig
> font-dejavu
> font-gnu-unifont
> fzf
> git
> gnupg
> grim
> gtypist
> icecat
> keepassxc
> ledger
> nss-certs
> openssh-sans-x
> pandoc
> parted
> pass-otp
> password-store
> pavucontrol
> pinentry
> pulseaudio
> rsync
> ruby-asciidoctor
> slurp
> stow
> sway
> swayidle
> swaylock-effects
> texinfo
> texlive-base
> unzip
> waybar
> xdg-utils
> zip)
> %base-packages))
>
> ;; Some programs need to run with “root” privileges, even when they
> are launched by unprivileged users
> (setuid-programs (cons*
> (setuid-program
> (program
> (file-append swaylock-effects "/bin/swaylock")))
> %setuid-programs))
>
> ;; Services
> (services
> (cons*
> (service alsa-service-type
> (alsa-configuration
> (pulseaudio? #t)))
> (service dbus-root-service-type)
> (service elogind-service-type)
> (service openssh-service-type
> (openssh-configuration
> (openssh openssh-sans-x)
> (port-number 22)
> (password-authentication? #f)
> (permit-root-login 'prohibit-password)
> (authorized-keys
> `(("oleander" ,(local-file "/home/oleander/.ssh/authorized_keys"))))))
> (service polkit-service-type)
> (service sddm-service-type
> (sddm-configuration
> (auto-login-user "oleander")
> (display-server "wayland")))
> ;; Static networking for one NIC, IPv4-only.
> (service static-networking-service-type
> (list (static-networking
> (addresses
> (list (network-address
> (device "wlp1s0")
> (value "192.168.1.200/24"))))
> (routes
> (list (network-route
> (destination "default")
> (gateway "192.168.1.1"))))
> (name-servers '("1.1.1.1" "1.0.0.1")))))
> (service wpa-supplicant-service-type
> (wpa-supplicant-configuration
> (config-file "/etc/wpa-supplicant/wpa-supplicant.conf")
> (interface "wlp1s0")))
> %base-services))
>
> ;; Allow resolution of '.local' host names with mDNS.
> (name-service-switch %mdns-host-lookup-nss))
> @end example
>
> Also, do you have any suggestion to improve my code? One thing I never
> figured out is how to log in to the system automatically without a
> display manager.
>
> I found this config
> https://gitlab.com/mbakke/guix-sway-example/-/tree/master but I don't
> know if it still works and I need some time to study/understand the
> code before merging some of it into my config without creating a mess.
>
> Thank you

Re: swaylock does not accept my correct password and fails to unlock

[Emmanuel Beffara]

Hello,

De Remco van 't Veer le 22/12/2023 à 08:56:
> This works for me but I am not sure it's still needed.  I am pretty sure
> swaylock does not like to be setuid anymore.

I faced the same issue some time ago, not sure when. Indeed the issue was with
swaylock complaining about setuid. My system configuration contains the
following simpler entry, which uses screen-locker-configuration:

    (operating-system
      ...
      (services
        (cons* 
          ...
          (service screen-locker-service-type
                   (screen-locker-configuration
                     (name "swaylock")
                     (program (file-append swaylock "/bin/swaylock"))
                     (using-pam? #t)
                     (using-setuid? #f)))
          ...
          %desktop-services))
      ...
      )


-- 
Emmanuel

Re: swaylock does not accept my correct password and fails to unlock

[Remco van 't Veer]

Hi Emmanuel,

2023/12/22, Emmanuel Beffara:

> De Remco van 't Veer le 22/12/2023 à 08:56:
>> This works for me but I am not sure it's still needed.  I am pretty sure
>> swaylock does not like to be setuid anymore.
>
> I faced the same issue some time ago, not sure when. Indeed the issue was with
> swaylock complaining about setuid. My system configuration contains the
> following simpler entry, which uses screen-locker-configuration:

Oh, that's much better!  Thanks.

Re: swaylock does not accept my correct password and fails to unlock

[Oleander via]

What module provides screen-locker-service-type?

I had already tried to add that entry but after reconfiguring I get:

Backtrace:
18 (primitive-load "/home/oleander/.config/guix/current/bin/gu…")
In guix/ui.scm:
2324:7 17 (run-guix . _)
2287:10 16 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1752:10 15 (with-exception-handler _ _ #:unwind? _ # _)
In guix/status.scm:
859:3 14 (_)
839:4 13 (call-with-status-report _ _)
In guix/scripts/system.scm:
1278:4 12 (_)
In ice-9/boot-9.scm:
1752:10 11 (with-exception-handler _ _ #:unwind? _ # _)
In guix/store.scm:
661:37 10 (thunk)
1300:8 9 (call-with-build-handler #<procedure 7f40dba5dea0 at g…> …)
2180:25 8 (run-with-store #<store-connection 256.99 7f40c478b280> …)
In guix/scripts/system.scm:
846:2 7 (_ _)
720:8 6 (_ #<store-connection 256.99 7f40c478b280>)
In gnu/system.scm:
1298:19 5 (operating-system-derivation _)
835:11 4 (operating-system-services #<<operating-system> kernel:…>)
869:20 3 (services _)
In /etc/system.scm:
135:13 2 (services #<<operating-system> kernel: #<package linux-…>)
In ice-9/boot-9.scm:
1685:16 1 (raise-exception _ #:continuable? _)
1685:16 0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
error: screen-locker-service-type: unbound variable
-------- Original Message --------
On Dec 22, 2023, 09:24, Emmanuel Beffara wrote:

> Hello, De Remco van 't Veer le 22/12/2023 à 08:56: > This works for me but I am not sure it's still needed. I am pretty sure > swaylock does not like to be setuid anymore. I faced the same issue some time ago, not sure when. Indeed the issue was with swaylock complaining about setuid. My system configuration contains the following simpler entry, which uses screen-locker-configuration: (operating-system ... (services (cons* ... (service screen-locker-service-type (screen-locker-configuration (name "swaylock") (program (file-append swaylock "/bin/swaylock")) (using-pam? #t) (using-setuid? #f))) ... %desktop-services)) ... ) -- Emmanuel

Re: swaylock does not accept my correct password and fails to unlock

[Remco van 't Veer]

Op vr 22 dec 2023, om 15:20 schreef Oleander:
> What module provides screen-locker-service-type?

You'll need the "wm" packages module (for swaylock) and "xorg" services (see https://guix.gnu.org/en/manual/devel/en/html_node/X-Window.html).

Re: swaylock does not accept my correct password and fails to unlock

[Emmanuel Beffara]

De Oleander le 22/12/2023 à 15:20:
> What module provides screen-locker-service-type?

This is in (gnu services xorg). My system.scm starts with

    (use-modules (gnu)
                 ...)
    (use-service-modules ... xorg ...)
    (use-package-modules ... wm ...)

where the wm package is used to get swaylock.

-- 
Emmanuel

Re: swaylock does not accept my correct password and fails to unlock

[Oleander via]

I added the suggested entry and now swaylock works fine.

Thanks Emmanuel and Remco for helping!-------- Original Message --------
On Dec 22, 2023, 09:24, Emmanuel Beffara wrote:

> Hello, De Remco van 't Veer le 22/12/2023 à 08:56: > This works for me but I am not sure it's still needed. I am pretty sure > swaylock does not like to be setuid anymore. I faced the same issue some time ago, not sure when. Indeed the issue was with swaylock complaining about setuid. My system configuration contains the following simpler entry, which uses screen-locker-configuration: (operating-system ... (services (cons* ... (service screen-locker-service-type (screen-locker-configuration (name "swaylock") (program (file-append swaylock "/bin/swaylock")) (using-pam? #t) (using-setuid? #f))) ... %desktop-services)) ... ) -- Emmanuel