GNOME Bugzilla – Bug 370847
gnome-screensaver does not work correctly with OpenPAM
Last modified: 2011-03-06 06:55:44 UTC
On systems that use OpenPAM (e.g. FreeBSD and NetBSD), gnome-screensaver cannot be unlocked if the PAM module being used is pam_unix.so. This is due to the fact that pam_unix.so requires root privileges in order to read the local passwd database. Unfortunately, g-s drops root privileges before creating the pam_handle, and thus cannot properly authenticate the user. This was not a problem in g-s 2.14 as the authenticate happened as uid 0. The reason this problem does not affect Linux is because LinuxPAM uses the setuid unix_chkpwd helper to do local passwd authentication. This helper does not exist in OpenPAM, and all PAM consumers are setuid root. I was thinking what the best way to fix this problem would be. I believe creating the pam_handle in gs_auth_priv_init() would work, but I'm not sure what the best way to handle the data and func members of the pam_closure structure. Could these be made global static variables? Maybe the need for uid 0 for PAM auhentication could be made configurable.
I should add that a workaround for this problem is to build without PAM support if you will only be using the UNIX passwd database for authentication.
So, is adding something like unix_chkpwd out of the question? It seems to me that it is better to have all elevated privilege code residing in one place rather than in every program that uses PAM. Among other things this makes it much easier to audit.
Yes, it would mean changing OpenPAM, and I don't see that happening any time soon. Even when we used LinuxPAM in 4.X, we had our own pam_unix that did not use unix_chkpwd.
So why is it out of the question to change OpenPAM? And why did you strip out unix_chkpwd from pam_unix? Running gnome-screensaver-dialog setuid seems like a bad idea to me.
For one, you'd need a much larger buy-in to change OpenPAM. You'd have to fundamentally change multiple OSes as well. And OpenPAM did not strip unix_chkpwd from pam_unix. It was never there to begin with (just like Solaris, IIRC). I am not saying that gnome-screensaver-dialog should run setuid. I am just asking if it can be modified to do some PAM prep work prior to dropping root privileges.
It should be noted that gnome-screensaver is broken on Ubuntu Linux as well in the matter of authenticating aganst an LDAP server. https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/64301 I'm trying to see if there is an open ticket in Gnome's Bugzilla for the matter. So far this bug (370847) is as close as I've found.
(In reply to comment #0) > I was thinking what the best way to fix this problem would be. I believe > creating the pam_handle in gs_auth_priv_init() would work, I don't think so. Looking at our pam_unix source[1] it seems like you need to be super-user when calling pam_authenticate. [1] http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/openpam/modules/pam_unix/pam_unix.c?rev=1.1.1.5
Since it didn't look like this would ever be fixed in gnome-screensaver, I wrote a PAM helper tool which plugs into the g-s helper code. The tool can be made setuid root, and has been tested to authenticate g-s properly. The code should build on any system which uses OpenPAM. http://www.marcuscom.com:8080/cgi-bin/cvsweb.cgi/pam_helper
*** Bug 478443 has been marked as a duplicate of this bug. ***
This just isn't in the cards.