On Sat, Feb 15, 2014 at 01:11:55PM +0100, Stefan Seyfried wrote:
This works as root, and it works if I SGID shadow the i3lock binary. But I guess this is not the right thing to do?
To check the password, you need (under normal circumstances) read access to /etc/shadow which is usually provided by sgid.
The package even includes a pam file /etc/pam.d/i3lock (this is suse package specific different from the upstream one) containing: #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
But I cannot determine what this is good for.
It just means that we use settings from common-* for everything. And common-auth by default requires pam_unix.so which checks the password against /etc/shadow.
So what to do? make i3lock sgid shadow?
Unless you want to use e.g. LDAP and ignore /etc/shadow, you should. I have the same problem with vlock on every new installation but the the security team claims that you don't necessarily need to read /etc/shadow to authenticate (as it is possible to use only other forms of authentication) so that programs needing to authenticate users shouldn't have sgid shadow by default. So (almost) everyone who wants to use them has to add it manually. Michal Kubeček -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org