Mailinglist Archive: opensuse-factory (498 mails)

< Previous Next >
Re: [opensuse-factory] solved: New Tumbleweed snapshot 20160514 released!
  • From: Wolfgang Bauer <wbauer@xxxxxx>
  • Date: Wed, 18 May 2016 18:56:25 +0200
  • Message-id: <2147612.xvughd40zT@amiga>
Am Mittwoch, 18. Mai 2016, 10:47:53 CEST schrieb Rainer Klier:
but screenlock did not work even after reverting my old pam config files.
then i downgraded all needed packages to use plasma5 screenlocker from
plasma 5.6.3.
the screenlock worked again.
then, just to try out, i again upgraded everything to plasma 5.6.4, and
then, to my surprise, it worked again... :-D

The kscreenlocker package will switch your PAM config to use pam_unix on every
installation (also updates).
As mentioned it does require pam_unix so that unlocking works correctly.
With pam_unix2, kscreenlocker_greet just doesn't have the necessary
permissions, making unlocking the session fail.

A workaround is to make /usr/lib64/libexec/kcheckpass suid root, that should
prevent such problems in the future.
Updates will change the file permissions again of course, so you should rather
add an entry to /etc/permissions.local and run chkstat to apply it.

We cannot ship kcheckpass suid root, because the security team declined it
(see https://bugzilla.opensuse.org/show_bug.cgi?id=926267), that's why we had
to resort to this PAM config change.

If you want to prevent your PAM config from being changed, convert the
symlinks common-session and so on to proper files, pam-config should not touch
them any more then.

But if you don't have a very specific need to use pam_unix2, it's probably
easier to just stick to pam_unix.
Just because your system is updated since 13.2 is not a good reason though,
mine is updated since 8.1 and still I am happily using pam_unix now... ;-)

Kind Regards,
Wolfgang

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups