[Bug 216816] New: the gnome-screensaver will not unlock
https://bugzilla.novell.com/show_bug.cgi?id=216816 Summary: the gnome-screensaver will not unlock Product: SUSE Linux 10.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: wshackle@yahoo.com QAContact: qa@suse.de I have a system where users can log in but if the screen locks it can never be unlocked. I am not sure what has happened to the system but it is clearly testing for something very strange instead of the password and failing, without giving the user or even adding something to /var/log/messages to give any clue as to what the problem is. Each attempt to unlock a screen always produces two entries in /var/log/messages one for the user and one for root. But it always fails whether you give the user passwd or the root password. Oct 31 16:05:54 archimedes-304 unix2_chkpwd[12716]: pam_authenticate(gnome-screensaver, shackle): Authentication failure Oct 31 16:05:59 archimedes-304 unix2_chkpwd[12717]: pam_authenticate(gnome-screensaver, root): Authentication failure The same password works reliably when logging in every other way, (console, GDM, ssh etc) /etc/pam.d/gnome-screensaver is unmodified. In fact rpm -V pam pam_modules gnome-screensaver shows no modified files for any of these packages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 ------- Comment #1 from jpr@novell.com 2006-11-01 11:47 MST ------- *** Bug 216951 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 R.Eggermont@TUDelft.nl changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |R.Eggermont@TUDelft.nl Component|GNOME |Basesystem Product|SUSE Linux 10.1 |openSUSE 10.2 ------- Comment #2 from R.Eggermont@TUDelft.nl 2006-12-13 04:04 MST ------- I have the exact same problem with openSUSE 10.2 + (NIS+shadow) authentication + (gnome-screensaver/xlock): Dec 12 11:27:44 client unix2_chkpwd[22851]: pam_authenticate(gnome-screensaver, user): Authentication failure Dec 12 13:30:13 client unix2_chkpwd[28297]: pam_authenticate(xlock, user): Authentication failure unix2_chkpwd needs root privileges to check NIS shadow.byname. The problem can be fixed by setting the suid bit for /sbin/unix2_chkpwd: -rwsr-sr-x 1 root shadow 10112 Nov 25 20:14 /sbin/unix2_chkpwd -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 R.Eggermont@TUDelft.nl changed: What |Removed |Added ---------------------------------------------------------------------------- OS/Version|Other |SuSE Other -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 jpr@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |bnc-team-screening@forge.provo.novell.com |gnome@forge.provo.novell.com| ------- Comment #3 from jpr@novell.com 2006-12-13 05:24 MST ------- gnome-screensaver is just following the pam rejection, re-assigning. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 mhorvath@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |mc@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |wshackle@yahoo.com ------- Comment #4 from mc@novell.com 2006-12-13 08:17 MST ------- On my 10.2 system I have: $> l /sbin/unix2_chkpwd -rwxr-sr-x 1 root shadow 10112 25. Nov 20:14 /sbin/unix2_chkpwd* I the "s" on the group not sufficient? pam-modules.spec says: %attr(2755,root,shadow) /sbin/unix2_chkpwd What are your permissions on this file? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 ------- Comment #5 from R.Eggermont@TUDelft.nl 2006-12-13 14:15 MST ------- Sgid shadow is sufficient for reading /etc/shadow, but the keyword here is NIS: the NIS server only accepts client port < 1024 (root!) for shadow.byname access. With the install default (no suid root), unlocking fails always. If I set suid, unlocking works perfectly (immidiately). -rwsr-sr-x 1 root shadow 10112 Nov 25 20:14 /sbin/unix2_chkpwd For reference, the KDE screensaver (unlocking this works out of the box) uses kcheckpass for authentication: -rwsr-xr-x 1 root shadow 12K 2006-08-28 13:10 /opt/kde3/bin/kcheckpass* According to http://ltp.sourceforge.net/docs/SLES-security-guide-EAL3.pdf: "# set this to suid root (4755) if you’re running shadow via NIS: /opt/kde3/bin/kcheckpass root.shadow 0755" BTW: I encounter the same NIS+shadow authentication problem everywhere. For example, for apache2 authentication I have to use mod_auth_external+pwauth suid root. BTW2: I don't know if /sbin/unix_chkpwd is still used somewhere, if so that might require suid root as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 R.Eggermont@TUDelft.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|wshackle@yahoo.com | ------- Comment #6 from R.Eggermont@TUDelft.nl 2006-12-13 14:16 MST ------- Sorry, forgot to change the status. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |lnussel@novell.com ------- Comment #9 from mc@novell.com 2007-01-04 08:30 MST ------- set needinfo ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 ------- Comment #10 from R.Eggermont@TUDelft.nl 2007-01-05 01:13 MST ------- Can you please tell me what info you need? I answered your questions from comment #4 in comment #5. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 ------- Comment #11 from mc@novell.com 2007-01-05 02:21 MST ------- I need info from somebody else :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 ------- Comment #12 from R.Eggermont@TUDelft.nl 2007-01-05 02:32 MST ------- I noticed, but I'm just curious what more info you need. ;-) As I've encountered this shadow/NIS/SUID problem quite a few times in different places, I'ld like to keep informed about progress, solutions or anything related. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 ------- Comment #13 from mc@novell.com 2007-01-05 02:58 MST ------- Yes, this is because not every thinkable configuration can be supported by us per default. There are cases - especialy with suid bits - where we go a save way which should work for the most configurations , but not all. In these othere cases the administrator has to change our default. I you case now simply set the suid bit. It is needed in your case. The question we discuss here internaly is, if we want to change the default. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mc@novell.com |lnussel@novell.com Status|NEEDINFO |NEW Info Provider|lnussel@novell.com | ------- Comment #14 from lnussel@novell.com 2007-01-11 02:04 MST ------- root:shadow 2755 is likely some historic artifact and wrong, unix2_chkpwd should be 4755. Needs to be fixed in the permissions package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=216816 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #15 from lnussel@novell.com 2007-01-17 06:18 MST ------- fixed in permissions, pam, pam-modules and squid for 10.3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com