[opensuse-packaging] PAM usage needs sgid? Or am I doing something wrong?
Hi all, While searching for an alternative to xscreensaver (I find the unlock screen plain ugly and don't use any of the animations anyway), I came across i3lock, which is already included in Factory. It does all I need (lock the screen) and is very lightweight. However, it misses one important feature: the actual unlocking of the screen :-) This works as root, and it works if I SGID shadow the i3lock binary. But I guess this is not the right thing to do? The package even includes a pam file /etc/pam.d/i3lock (this is suse package specific different from the upstream one) containing: #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session But I cannot determine what this is good for. I put in some debug code and found out that pam_authenticate() fails with PAM_AUTH_ERR, for insufficient access to /etc/shadow, I would expect PAM_CRED_INSUFFICIENT, but then I know next to nothing about PAM internals. So what to do? make i3lock sgid shadow? -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Sat, Feb 15, 2014 at 01:11:55PM +0100, Stefan Seyfried wrote:
This works as root, and it works if I SGID shadow the i3lock binary. But I guess this is not the right thing to do?
To check the password, you need (under normal circumstances) read access to /etc/shadow which is usually provided by sgid.
The package even includes a pam file /etc/pam.d/i3lock (this is suse package specific different from the upstream one) containing: #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
But I cannot determine what this is good for.
It just means that we use settings from common-* for everything. And common-auth by default requires pam_unix.so which checks the password against /etc/shadow.
So what to do? make i3lock sgid shadow?
Unless you want to use e.g. LDAP and ignore /etc/shadow, you should. I have the same problem with vlock on every new installation but the the security team claims that you don't necessarily need to read /etc/shadow to authenticate (as it is possible to use only other forms of authentication) so that programs needing to authenticate users shouldn't have sgid shadow by default. So (almost) everyone who wants to use them has to add it manually. Michal Kubeček -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Hi Michal Am 17.02.2014 08:36, schrieb Michal Kubecek:
On Sat, Feb 15, 2014 at 01:11:55PM +0100, Stefan Seyfried wrote:
This works as root, and it works if I SGID shadow the i3lock binary. But I guess this is not the right thing to do?
To check the password, you need (under normal circumstances) read access to /etc/shadow which is usually provided by sgid.
The package even includes a pam file /etc/pam.d/i3lock (this is suse package specific different from the upstream one) containing: #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
But I cannot determine what this is good for.
It just means that we use settings from common-* for everything. And common-auth by default requires pam_unix.so which checks the password against /etc/shadow.
Yeah, I figured that out after refreshing my rusty PAM knowledge a litlle bit :-)
So what to do? make i3lock sgid shadow?
Unless you want to use e.g. LDAP and ignore /etc/shadow, you should. I have the same problem with vlock on every new installation but the the security team claims that you don't necessarily need to read /etc/shadow to authenticate (as it is possible to use only other forms of authentication) so that programs needing to authenticate users shouldn't have sgid shadow by default. So (almost) everyone who wants to use them has to add it manually.
I checked what other screensavers do and patched i3lock to use unix2_chkpwd from pam-modules package. This works because unix2_chkpwd is setgid shadow and does all the nasty stuff, you just need to check the exit code. The code is now in X11:windowmanagers i3lock -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Mon, Feb 17, 2014 at 02:01:08PM +0100, Stefan Seyfried wrote:
Hi Michal
Am 17.02.2014 08:36, schrieb Michal Kubecek:
On Sat, Feb 15, 2014 at 01:11:55PM +0100, Stefan Seyfried wrote:
This works as root, and it works if I SGID shadow the i3lock binary. But I guess this is not the right thing to do?
To check the password, you need (under normal circumstances) read access to /etc/shadow which is usually provided by sgid.
The package even includes a pam file /etc/pam.d/i3lock (this is suse package specific different from the upstream one) containing: #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
But I cannot determine what this is good for.
It just means that we use settings from common-* for everything. And common-auth by default requires pam_unix.so which checks the password against /etc/shadow.
Yeah, I figured that out after refreshing my rusty PAM knowledge a litlle bit :-)
So what to do? make i3lock sgid shadow?
Unless you want to use e.g. LDAP and ignore /etc/shadow, you should. I have the same problem with vlock on every new installation but the the security team claims that you don't necessarily need to read /etc/shadow to authenticate (as it is possible to use only other forms of authentication) so that programs needing to authenticate users shouldn't have sgid shadow by default. So (almost) everyone who wants to use them has to add it manually.
I checked what other screensavers do and patched i3lock to use unix2_chkpwd from pam-modules package.
This works because unix2_chkpwd is setgid shadow and does all the nasty stuff, you just need to check the exit code.
The code is now in X11:windowmanagers i3lock
Thats a good solution for this. :) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
* Marcus Meissner
On Mon, Feb 17, 2014 at 02:01:08PM +0100, Stefan Seyfried wrote: [...]
This works because unix2_chkpwd is setgid shadow and does all the nasty stuff, you just need to check the exit code.
The code is now in X11:windowmanagers i3lock
Thats a good solution for this. :)
except you can <ctrl><alt><1..6> and "kill `pidof i3lock`" :^( -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Am 17.02.2014 14:39, schrieb Patrick Shanahan:
* Marcus Meissner
[02-17-14 08:09]: On Mon, Feb 17, 2014 at 02:01:08PM +0100, Stefan Seyfried wrote: [...]
This works because unix2_chkpwd is setgid shadow and does all the nasty stuff, you just need to check the exit code.
The code is now in X11:windowmanagers i3lock
Thats a good solution for this. :)
except you can <ctrl><alt><1..6> and "kill `pidof i3lock`" :^(
You mean "ctrl-alt-F1...F6", right? Ctrl-alt-1 does nothing on my box. And that is different with the setgid shadow case exactly how? You need to be either root (and then all hope is lost anyway) or know my credentials to log tty1 as me, and then you could just type them into i3lock anyway. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
* Stefan Seyfried
Am 17.02.2014 14:39, schrieb Patrick Shanahan: [...]
except you can <ctrl><alt><1..6> and "kill `pidof i3lock`" :^(
You mean "ctrl-alt-F1...F6", right? Ctrl-alt-1 does nothing on my box.
Yes, you are correct.
And that is different with the setgid shadow case exactly how? You need to be either root (and then all hope is lost anyway) or know my credentials to log tty1 as me, and then you could just type them into i3lock anyway.
And again. I retract. I like the looks of it but the present version will not accept my <user> password or root initiated by either. Will watch for your version. tks -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Am 17.02.2014 15:04, schrieb Patrick Shanahan:
* Stefan Seyfried
[02-17-14 08:46]: Am 17.02.2014 14:39, schrieb Patrick Shanahan: [...]
except you can <ctrl><alt><1..6> and "kill `pidof i3lock`" :^(
You mean "ctrl-alt-F1...F6", right? Ctrl-alt-1 does nothing on my box.
Yes, you are correct.
Well, it could (theoretically) be the case that i3lock does not grab workspace-switching keys and thus you'd be able to switch to another desktop which is not locked, but AFAICS this is not the case.
I like the looks of it but the present version will not accept my <user> password or root initiated by either.
The one in X11:windowmanagers should work, but make sure you have the one with latest changelog from today: * Mo Feb 17 2014 seife+obs@b1-systems.com - readd the pam config file, which is still needed by unix2_chkpwd (I should read the man page more thoroughly next time) (unix2_chkpwd as used in i3lock needs /etc/pam.d/i3lock, I removed this by accident and thus broke my own code, I just noticed today and added it back) -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
* Stefan Seyfried
Am 17.02.2014 15:04, schrieb Patrick Shanahan:
* Stefan Seyfried
[02-17-14 08:46]: Am 17.02.2014 14:39, schrieb Patrick Shanahan: [...]
except you can <ctrl><alt><1..6> and "kill `pidof i3lock`" :^(
You mean "ctrl-alt-F1...F6", right? Ctrl-alt-1 does nothing on my box.
Yes, you are correct.
Well, it could (theoretically) be the case that i3lock does not grab workspace-switching keys and thus you'd be able to switch to another desktop which is not locked, but AFAICS this is not the case.
I like the looks of it but the present version will not accept my <user> password or root initiated by either.
The one in X11:windowmanagers should work, but make sure you have the one with latest changelog from today: * Mo Feb 17 2014 seife+obs@b1-systems.com - readd the pam config file, which is still needed by unix2_chkpwd (I should read the man page more thoroughly next time)
(unix2_chkpwd as used in i3lock needs /etc/pam.d/i3lock, I removed this by accident and thus broke my own code, I just noticed today and added it back)
Guess I will have to wait. Last ver published for Tw is dated Feb 16. tks, -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Am 17.02.2014 15:43, schrieb Patrick Shanahan:
Guess I will have to wait. Last ver published for Tw is dated Feb 16.
Create /etc/pam.d/i3lock, contents ----8<----8<----8<----- #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session ----8<------8<-----8<---- and it should work. That's all I changed today. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
* Stefan Seyfried
Am 17.02.2014 15:43, schrieb Patrick Shanahan:
Guess I will have to wait. Last ver published for Tw is dated Feb 16.
Create /etc/pam.d/i3lock, contents ----8<----8<----8<----- #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session ----8<------8<-----8<----
and it should work. That's all I changed today.
It does, tks -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Hi Michal, Am 17.02.2014 08:36, schrieb Michal Kubecek:
Unless you want to use e.g. LDAP and ignore /etc/shadow, you should. I have the same problem with vlock on every new installation
see SR 222583 to Base:System, because it was fun I also implemented unix2_chkpwd testing for vlock. Marcus, I know you have Base:System accept rights *and* some security knowledge, so I'd appreciate if you review this, I'm not going to self-accept this SR :-) The code is (as with the i3lock case) mostly modeled after okir's implementation for xscreensaver, but I won't claim that it is free of bugs. Best regards, Stefan -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (4)
-
Marcus Meissner
-
Michal Kubecek
-
Patrick Shanahan
-
Stefan Seyfried