x11/gnome-screensaver-2.22.1 is not unlocking screen on entry of correct password.

Joe Marcus Clarke marcus at marcuscom.com
Mon Apr 7 15:55:14 UTC 2008

On Mon, 2008-04-07 at 17:07 +1000, Andrew Reilly wrote:
> On Mon, Apr 07, 2008 at 04:36:51PM +1000, Andrew Reilly wrote:
> > On Sun, Apr 06, 2008 at 01:51:13PM -0400, Joe Marcus Clarke wrote:
> > > >     Joe> This is typically the case when one builds gnome-screensaver with PAM
> > > >     Joe> support, but they are currently using a PAM module which requires the
> > > >     Joe> executable be setuid root (e.g. pam_unix).  The only workaround is to
> > > >     Joe> rebuild gnome-screensaver without PAM support, or use a different PAM
> > > >     Joe> module which does not require root privileges.
> > > > 
> > > > I've tried copying /etc/pam.d/gdm to /etc/pam.d/gnome-screensaver, but
> > > > also thats of no use. Any ideas, why is that not working inspite of
> > > > /usr/local/libexec/gnome-screensaver-dialog being setuid, hmm...?
> > > 
> > > PAM and gnome-screensaver do not work together if you are using
> > > pam_unix.  Rebuild gnome-screensaver without PAM support, and it will
> > > instead read /etc/master.passwd directly to authenticate the user.  That
> > > will work.
> Just to add a bit more noise to this discussion: I've just re-configured
> gnome-screensaver to not use PAM, and re-installed.  When doing so, I
> discovered that this installs gnome-screensaver-dialog, which is setuid
> root.  Clearly, that's necessary in order to look at master.passwd
> directly.  Isn't the same setuid-root done when PAM is involved?

The setuid privileges are dropped once initialization is done since GTK+
apps cannot run set[ug]id.  If they could, or if gnome-screesaver-dialog
was not a GTK+ app, this wouldn't be a problem.  That's why a wrapper
that actually does the PAM dialog would work here.  Linux, on the other
hand, includes a setuid tool with Linux PAM which does the privileged
work for pam_unix.  This means that none of their login apps need to be
setuid root.


PGP Key : http://www.marcuscom.com/pgp.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-gnome/attachments/20080407/03f6fc69/attachment.pgp

More information about the freebsd-gnome mailing list