Mailinglist Archive: opensuse-factory (498 mails)

< Previous Next >
Re: [opensuse-factory] solved: New Tumbleweed snapshot 20160514 released!
  • From: Wolfgang Bauer <wbauer@xxxxxx>
  • Date: Wed, 18 May 2016 18:56:25 +0200
  • Message-id: <2147612.xvughd40zT@amiga>
Am Mittwoch, 18. Mai 2016, 10:47:53 CEST schrieb Rainer Klier:
but screenlock did not work even after reverting my old pam config files.
then i downgraded all needed packages to use plasma5 screenlocker from
plasma 5.6.3.
the screenlock worked again.
then, just to try out, i again upgraded everything to plasma 5.6.4, and
then, to my surprise, it worked again... :-D

The kscreenlocker package will switch your PAM config to use pam_unix on every
installation (also updates).
As mentioned it does require pam_unix so that unlocking works correctly.
With pam_unix2, kscreenlocker_greet just doesn't have the necessary
permissions, making unlocking the session fail.

A workaround is to make /usr/lib64/libexec/kcheckpass suid root, that should
prevent such problems in the future.
Updates will change the file permissions again of course, so you should rather
add an entry to /etc/permissions.local and run chkstat to apply it.

We cannot ship kcheckpass suid root, because the security team declined it
(see, that's why we had
to resort to this PAM config change.

If you want to prevent your PAM config from being changed, convert the
symlinks common-session and so on to proper files, pam-config should not touch
them any more then.

But if you don't have a very specific need to use pam_unix2, it's probably
easier to just stick to pam_unix.
Just because your system is updated since 13.2 is not a good reason though,
mine is updated since 8.1 and still I am happily using pam_unix now... ;-)

Kind Regards,

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups