[opensuse-factory] [solved] tumbleweed update 2015-09-24 unlock screensaver failed
Today I did an update on Tumbleweed on my laptop from 2015-08-31 to 2015-09-24. Since it has been impossible to unlock the screen saver ("Permissions on the password database may be too restrictive"). I found the solution (consistent I hope) considering this bug report¹ and executing the following command (as root): chmod 4755 /usr/lib64/libexec/kcheckpass This may be the resurrection of a well known bug and should be solved then. Greetings Willi ¹ <https://bugzilla.novell.com/show_bug.cgi?id=931296> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
I had a similar issue when I first updated to tumbleweed (this machine has been updated since ~12.3 or somesuch). Apparently somewhere along the line I had a file conflict on pam config files so they weren't updated. I could solve the problem the way you did, but that is a symptom of the pam issue...or at least it was in my case. After fixing up the pam config files (ie flushing stale ones and replacing with latest since I had no local changes) everything worked. It was many months back so I am not 100% sure where to point you, but perhaps someone else knows about pam configuration. I merely wanted to point it out since the symptoms are exactly the same. -- Jimmy On Mon, Sep 28, 2015 at 6:37 PM, Wilhelm Boltz <boltz.willi.list@gmail.com> wrote:
Today I did an update on Tumbleweed on my laptop from 2015-08-31 to 2015-09-24.
Since it has been impossible to unlock the screen saver ("Permissions on the password database may be too restrictive").
I found the solution (consistent I hope) considering this bug report¹ and executing the following command (as root):
chmod 4755 /usr/lib64/libexec/kcheckpass
This may be the resurrection of a well known bug and should be solved then.
Greetings Willi
¹ <https://bugzilla.novell.com/show_bug.cgi?id=931296> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, thanks for Your hints. In my directory (pam.d) all files are up to date, though some older files exist. That may be the reason why permissions changed. Greetings Willi Am Montag, 28. September 2015, 23:24:28 schrieb Jimmy Berry:
I had a similar issue when I first updated to tumbleweed (this machine has been updated since ~12.3 or somesuch). Apparently somewhere along the line I had a file conflict on pam config files so they weren't updated. I could solve the problem the way you did, but that is a symptom of the pam issue...or at least it was in my case.
After fixing up the pam config files (ie flushing stale ones and replacing with latest since I had no local changes) everything worked. It was many months back so I am not 100% sure where to point you, but perhaps someone else knows about pam configuration. I merely wanted to point it out since the symptoms are exactly the same.
-- Jimmy
On Mon, Sep 28, 2015 at 6:37 PM, Wilhelm Boltz
<boltz.willi.list@gmail.com> wrote:
Today I did an update on Tumbleweed on my laptop from 2015-08-31 to 2015-09-24.
Since it has been impossible to unlock the screen saver ("Permissions on the password database may be too restrictive").
I found the solution (consistent I hope) considering this bug
report¹ and executing the following command (as root): chmod 4755 /usr/lib64/libexec/kcheckpass
This may be the resurrection of a well known bug and should be solved then.
Greetings Willi
¹ <https://bugzilla.novell.com/show_bug.cgi?id=931296> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 29.09.2015 um 15:19 schrieb Wilhelm Boltz:
In my directory (pam.d) all files are up to date, though some older files exist. That may be the reason why permissions changed.
i found .rpmnew files in /etc/pam.d. i fixed it by linking the .rpmnew files to the searched files. for example i linked /etc/pam.d/common-account.rpmnew to /etc/pam.d/common-account. -- Best Regards | Liebe Grüße | Cordialement | Cordiali Saluti | Atenciosamente | Saludos Cordiales Rainer Klier Research & Development SIGNificant Signature Solutions GmbH (a xyzmo company) Haider Straße 23 | 4052 Ansfelden | Austria Phone: +43 7229 88060 -707 Website: https://www.xyzmo.com/ Support: https://www.xyzmo.com/contact/support Get documents signed. Anywhere. At any time. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Rainer Klier <rainer.klier@xyzmo.com> writes:
i fixed it by linking the .rpmnew files to the searched files. for example i linked /etc/pam.d/common-account.rpmnew to /etc/pam.d/common-account.
Don't do that. Run pam-config instead. Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 29.09.2015 um 15:49 schrieb Andreas Schwab:
Rainer Klier <rainer.klier@xyzmo.com> writes:
i fixed it by linking the .rpmnew files to the searched files. for example i linked /etc/pam.d/common-account.rpmnew to /etc/pam.d/common-account.
Don't do that. Run pam-config instead.
but how? should i remove the links and copy the .rpmnew files over the -pc files, and then run pam-config? and how should i run pam-config? which parameters/options should i use? -- Best Regards | Liebe Grüße | Cordialement | Cordiali Saluti | Atenciosamente | Saludos Cordiales Rainer Klier Research & Development SIGNificant Signature Solutions GmbH (a xyzmo company) Haider Straße 23 | 4052 Ansfelden | Austria Phone: +43 7229 88060 -707 Website: https://www.xyzmo.com/ Support: https://www.xyzmo.com/contact/support Get documents signed. Anywhere. At any time. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Rainer Klier <rainer.klier@xyzmo.com> writes:
Am 29.09.2015 um 15:49 schrieb Andreas Schwab:
Rainer Klier <rainer.klier@xyzmo.com> writes:
i fixed it by linking the .rpmnew files to the searched files. for example i linked /etc/pam.d/common-account.rpmnew to /etc/pam.d/common-account.
Don't do that. Run pam-config instead.
but how?
pam-config --update The .rpmnew files are really coresponding to the .pam-config-backup files. Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Dienstag, 29. September 2015, 15:38:58 schrieb Rainer Klier:
Am 29.09.2015 um 15:19 schrieb Wilhelm Boltz:
In my directory (pam.d) all files are up to date, though some older files exist. That may be the reason why permissions changed.
i found .rpmnew files in /etc/pam.d. i fixed it by linking the .rpmnew files to the searched files. for example i linked /etc/pam.d/common-account.rpmnew to /etc/pam.d/common-account.
Better a copy/move the .rpmnew files over the corresponding common-xxx-pc ones (e.g. common-account.rpmnew -> common-account-pc), to which common-account and so on are normally symlinked to. And yes, that is the proper fix. The reason why the permissions changed is that the security team declined to install Plasma5's kcheckpass as suid root (like the KDE4 version is). https://bugzilla.opensuse.org/show_bug.cgi?id=926267 And it isn't necessary anyway with pam_unix.so, which is used by default since openSUSE 13.1. But if you kept upgrading your system since before 13.1, you'll still be using pam_unix2.so (and have those .rpmnew files...) because the PAM configuration is not changed during updates (for good reasons). If you do change the permissions of kcheckpass manually, this won't survive updates. You'd have to set them in /etc/permissions.local instead. Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 29.09.2015 um 15:52 schrieb Wolfgang Bauer:
Am Dienstag, 29. September 2015, 15:38:58 schrieb Rainer Klier:
Am 29.09.2015 um 15:19 schrieb Wilhelm Boltz:
i found .rpmnew files in /etc/pam.d. i fixed it by linking the .rpmnew files to the searched files. for example i linked /etc/pam.d/common-account.rpmnew to /etc/pam.d/common-account.
Better a copy/move the .rpmnew files over the corresponding common-xxx-pc ones (e.g. common-account.rpmnew -> common-account-pc), to which common-account and so on are normally symlinked to.
ok, so i should do this: cp common-account.rpmnew common-account-pc rm common-account ln -s common-account-pc common-account correct?
But if you kept upgrading your system since before 13.1, you'll still be using
yes, i did.
pam_unix2.so (and have those .rpmnew files...) because the PAM configuration is not changed during updates (for good reasons).
ok, and what does this mean for me? what should i do? is the above cp/rm/ln all i have to do? -- Best Regards | Liebe Grüße | Cordialement | Cordiali Saluti | Atenciosamente | Saludos Cordiales Rainer Klier Research & Development SIGNificant Signature Solutions GmbH (a xyzmo company) Haider Straße 23 | 4052 Ansfelden | Austria Phone: +43 7229 88060 -707 Website: https://www.xyzmo.com/ Support: https://www.xyzmo.com/contact/support Get documents signed. Anywhere. At any time. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Dienstag, 29. September 2015, 16:07:38 schrieb Rainer Klier:
ok, so i should do this: cp common-account.rpmnew common-account-pc rm common-account ln -s common-account-pc common-account
correct?
Yes. And the same for the other 3, common-auth, common-password, and common- session. Or instead if copying (or moving) you could also compare the files (common- account.rpmnew to common-account-pc and so on) and change the line with pam_unix2.so accordingly in the latter (with a text editor).
pam_unix2.so (and have those .rpmnew files...) because the PAM configuration is not changed during updates (for good reasons).
ok, and what does this mean for me? what should i do? is the above cp/rm/ln all i have to do?
Yes, this should suffice to fix the problem. Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello Wolfgang, Am Dienstag, 29. September 2015, 20:27:17 schrieb Wolfgang Bauer:
Am Dienstag, 29. September 2015, 16:07:38 schrieb Rainer Klier:
ok, so i should do this: cp common-account.rpmnew common-account-pc rm common-account ln -s common-account-pc common-account
correct?
Yes. And the same for the other 3, common-auth, common-password, and common- session.
Or instead if copying (or moving) you could also compare the files (common- account.rpmnew to common-account-pc and so on) and change the line with pam_unix2.so accordingly in the latter (with a text editor).
pam_unix2.so (and have those .rpmnew files...) because the PAM configuration is not changed during updates (for good reasons).
ok, and what does this mean for me? what should i do? is the above cp/rm/ln all i have to do?
Yes, this should suffice to fix the problem.
thank you very much for your more comprehensive explanation. I adjusted the pam config files as mentioned (except deleting and rebuilding symlinks), and I revoked the change of permissions for kcheckpass. Et voilà: It works! Greetings Willi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 29.09.2015 um 20:27 schrieb Wolfgang Bauer:
Am Dienstag, 29. September 2015, 16:07:38 schrieb Rainer Klier:
And the same for the other 3, common-auth, common-password, and common- session.
ok, did that. works. thanks.
is the above cp/rm/ln all i have to do?
Yes, this should suffice to fix the problem.
it did. although my previous solution also worked, where i linked the common-account.rpmnew to common-account. but the new fix is of course a cleaner approach. thanks. -- Best Regards | Liebe Grüße | Cordialement | Cordiali Saluti | Atenciosamente | Saludos Cordiales Rainer Klier Research & Development SIGNificant Signature Solutions GmbH (a xyzmo company) Haider Straße 23 | 4052 Ansfelden | Austria Phone: +43 7229 88060 -707 Website: https://www.xyzmo.com/ Support: https://www.xyzmo.com/contact/support Get documents signed. Anywhere. At any time. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Mittwoch, 30. September 2015, 09:35:18 schrieb Rainer Klier:
although my previous solution also worked, where i linked the common-account.rpmnew to common-account.
Yes, of course that works too. In the end, common-account (and so on) is used as config files. But if you modify the symlinks, the command "pam-config" might not work any more. It definitely doesn't work if you replace the symlinks with actual files (it bails out with an error message about that fact), I'm not sure what happens if you make it point to different files... Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 30.09.2015 um 11:24 schrieb Wolfgang Bauer:
Am Mittwoch, 30. September 2015, 09:35:18 schrieb Rainer Klier:
although my previous solution also worked, where i linked the common-account.rpmnew to common-account.
Yes, of course that works too. In the end, common-account (and so on) is used as config files.
But if you modify the symlinks, the command "pam-config" might not work any more.
and therefor i fixed it the way you suggested. this way, i can be sure, that the fix remains working. -- Best Regards | Liebe Grüße | Cordialement | Cordiali Saluti | Atenciosamente | Saludos Cordiales Rainer Klier Research & Development SIGNificant Signature Solutions GmbH (a xyzmo company) Haider Straße 23 | 4052 Ansfelden | Austria Phone: +43 7229 88060 -707 Website: https://www.xyzmo.com/ Support: https://www.xyzmo.com/contact/support Get documents signed. Anywhere. At any time. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Andreas Schwab -
Jimmy Berry -
Rainer Klier -
Wilhelm Boltz -
Wolfgang Bauer