After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 370847 - gnome-screensaver does not work correctly with OpenPAM
gnome-screensaver does not work correctly with OpenPAM
Status: RESOLVED WONTFIX
Product: gnome-screensaver
Classification: Deprecated
Component: dialog
2.16.x
Other FreeBSD
: Normal major
: ---
Assigned To: gnome-screensaver maintainers
gnome-screensaver maintainers
: 478443 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2006-11-05 03:41 UTC by Joe Marcus Clarke
Modified: 2011-03-06 06:55 UTC
See Also:
GNOME target: ---
GNOME version: 2.15/2.16



Description Joe Marcus Clarke 2006-11-05 03:41:26 UTC
On systems that use OpenPAM (e.g. FreeBSD and NetBSD), gnome-screensaver cannot be unlocked if the PAM module being used is pam_unix.so.  This is due to the fact that pam_unix.so requires root privileges in order to read the local passwd database.  Unfortunately, g-s drops root privileges before creating the pam_handle, and thus cannot properly authenticate the user.  This was not a problem in g-s 2.14 as the authenticate happened as uid 0.  The reason this problem does not affect Linux is because LinuxPAM uses the setuid unix_chkpwd helper to do local passwd authentication.  This helper does not exist in OpenPAM, and all PAM consumers are setuid root.

I was thinking what the best way to fix this problem would be.  I believe creating the pam_handle in gs_auth_priv_init() would work, but I'm not sure what the best way to handle the data and func members of the pam_closure structure.  Could these be made global static variables?  Maybe the need for uid 0 for PAM auhentication could be made configurable.
Comment 1 Joe Marcus Clarke 2006-11-05 03:44:17 UTC
I should add that a workaround for this problem is to build without PAM support if you will only be using the UNIX passwd database for authentication.
Comment 2 William Jon McCann 2006-11-06 15:47:52 UTC
So, is adding something like unix_chkpwd out of the question?  It seems to me that it is better to have all elevated privilege code residing in one place rather than in every program that uses PAM.  Among other things this makes it much easier to audit.
Comment 3 Joe Marcus Clarke 2006-11-06 18:21:04 UTC
Yes, it would mean changing OpenPAM, and I don't see that happening any time soon.  Even when we used LinuxPAM in 4.X, we had our own pam_unix that did not use unix_chkpwd.
Comment 4 Ray Strode [halfline] 2006-11-08 20:39:24 UTC
So why is it out of the question to change OpenPAM?  And why did you strip out unix_chkpwd from pam_unix?

Running gnome-screensaver-dialog setuid seems like a bad idea to me.
Comment 5 Joe Marcus Clarke 2006-11-08 21:01:16 UTC
For one, you'd need a much larger buy-in to change OpenPAM.  You'd have to fundamentally change multiple OSes as well.  And OpenPAM did not strip unix_chkpwd from pam_unix.  It was never there to begin with (just like Solaris, IIRC).

I am not saying that gnome-screensaver-dialog should run setuid.  I am just asking if it can be modified to do some PAM prep work prior to dropping root privileges.
Comment 6 Joe Baker 2007-06-04 20:29:18 UTC
It should be noted that gnome-screensaver is broken on Ubuntu Linux as well in the matter of authenticating aganst an LDAP server.

https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/64301

I'm trying to see if there is an open ticket in Gnome's Bugzilla for the matter.  
So far this bug (370847) is as close as I've found.
Comment 7 mwisnicki 2008-07-28 16:42:50 UTC
(In reply to comment #0)
> I was thinking what the best way to fix this problem would be.  I believe
> creating the pam_handle in gs_auth_priv_init() would work,

I don't think so. Looking at our pam_unix source[1] it seems like you need to be super-user when calling pam_authenticate.


[1] http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/openpam/modules/pam_unix/pam_unix.c?rev=1.1.1.5
Comment 8 Joe Marcus Clarke 2008-08-17 20:25:23 UTC
Since it didn't look like this would ever be fixed in gnome-screensaver, I wrote a PAM helper tool which plugs into the g-s helper code.  The tool can be made setuid root, and has been tested to authenticate g-s properly.  The code should build on any system which uses OpenPAM.

http://www.marcuscom.com:8080/cgi-bin/cvsweb.cgi/pam_helper
Comment 9 William Jon McCann 2008-11-13 19:33:54 UTC
*** Bug 478443 has been marked as a duplicate of this bug. ***
Comment 10 William Jon McCann 2011-03-06 06:55:44 UTC
This just isn't in the cards.