GNOME Bugzilla – Bug 478443
gnome-screensaver fails to unlock with pam_unix2
Last modified: 2008-11-13 19:33:54 UTC
Steps to reproduce: 1. install pam_unix2 2. /etc/pam.d/common-auth and /etc/pam.d/common-password, replacing pam_unix.so with pam_unix2.so 3. reset your password with passwd 4. log into gnome and lock the screen with gnome-screensaver 5. every attempt to login will be shown as invalid password Stack trace: Other information:
I've used pam_unix2 successfully on a number of systems. Can you try running the "test-passwd" tool that is included in the gnome-screensaver sources and post the output here? Thanks.
This is on a Debian box with stock permissions. And like I said, it works with libpam_unix, just not libpam_unix2. -rw-r----- 1 root shadow 955 2007-11-09 17:07 /etc/shadow -rw-r--r-- 1 root root 1389 2007-10-29 19:50 /etc/passwd markybob@peg:/usr/src/gnome-screensaver-2.20.0/src$ ./test-passwd ** Message: pam_start ("gnome-screensaver", "markybob", ...) ==> 0 (Success) ** Message: Handling message style 1: 'Password: ' ** Message: Waiting for lock ** Message: Waiting for respose to message style 1: 'Password: ' ** Message: Waiting for response ** Message: Got message style 1: 'Password: ' Password: ** Message: Got response ** Message: Got respose to message style 1: interrupt:0 ** Message: Msg handler returned 1 ** Message: Handling message style 3: 'Permissions on the password database may be too restrictive.' ** Message: Waiting for respose to message style 3: 'Permissions on the password database may be too restrictive.' ** Message: Waiting for lock ** Message: Waiting for response ** Message: Got message style 3: 'Permissions on the password database may be too restrictive.' ** Message: Got response ** Message: Got respose to message style 3: interrupt:0 ** Message: Msg handler returned 1 ** Message: pam_authenticate (...) ==> 7 (Authentication failure) ** Message: pam_end (...) ==> 0 (Success) ERROR: Incorrect password. Incorrect Thanks
I forgot to mention that I can log into the system just fine, so libpam_unix2 with those above listed permsisions are working fine. Just having a problem with gnome-screensaver unlocking
Could it be that pam_unix2 requires binaries to be setgid shadow?
I emailed pam_unix2's author about this and this was his reply: "gnome-screensaver does not have the right permissions. PAM spec requires, that calling applications have enough privileges to read all password files. pam_unix.so has a hack to call a helper binary. But this works only with pam_unix.so. It does not work if you use anything else like finger sensor, smartcards, or anything else not handled by pam_unix to authenticate. For that reason some applications, which should not run with a setuid or setgid bit, call a helper application for authentication itself." - Thorsten
So gnome-screensaver needs a suid/sgid helper?
Yeah
Some relevant discussion here: http://mail.gnome.org/archives/screensaver-list/2006-February/msg00000.html http://mail.gnome.org/archives/screensaver-list/2007-October/msg00000.html http://mail.gnome.org/archives/screensaver-list/2007-November/msg00000.html
Thanks for the bug report. This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find. *** This bug has been marked as a duplicate of 370847 ***