x11/gnome-screensaver-2.22.1 is not unlocking screen on entry
of correct password.
Joe Marcus Clarke
marcus at marcuscom.com
Mon Apr 7 15:55:14 UTC 2008
On Mon, 2008-04-07 at 17:07 +1000, Andrew Reilly wrote:
> On Mon, Apr 07, 2008 at 04:36:51PM +1000, Andrew Reilly wrote:
> > On Sun, Apr 06, 2008 at 01:51:13PM -0400, Joe Marcus Clarke wrote:
> > > > Joe> This is typically the case when one builds gnome-screensaver with PAM
> > > > Joe> support, but they are currently using a PAM module which requires the
> > > > Joe> executable be setuid root (e.g. pam_unix). The only workaround is to
> > > > Joe> rebuild gnome-screensaver without PAM support, or use a different PAM
> > > > Joe> module which does not require root privileges.
> > > >
> > > > I've tried copying /etc/pam.d/gdm to /etc/pam.d/gnome-screensaver, but
> > > > also thats of no use. Any ideas, why is that not working inspite of
> > > > /usr/local/libexec/gnome-screensaver-dialog being setuid, hmm...?
> > >
> > > PAM and gnome-screensaver do not work together if you are using
> > > pam_unix. Rebuild gnome-screensaver without PAM support, and it will
> > > instead read /etc/master.passwd directly to authenticate the user. That
> > > will work.
>
> Just to add a bit more noise to this discussion: I've just re-configured
> gnome-screensaver to not use PAM, and re-installed. When doing so, I
> discovered that this installs gnome-screensaver-dialog, which is setuid
> root. Clearly, that's necessary in order to look at master.passwd
> directly. Isn't the same setuid-root done when PAM is involved?
The setuid privileges are dropped once initialization is done since GTK+
apps cannot run set[ug]id. If they could, or if gnome-screesaver-dialog
was not a GTK+ app, this wouldn't be a problem. That's why a wrapper
that actually does the PAM dialog would work here. Linux, on the other
hand, includes a setuid tool with Linux PAM which does the privileged
work for pam_unix. This means that none of their login apps need to be
setuid root.
Joe
--
PGP Key : http://www.marcuscom.com/pgp.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-gnome/attachments/20080407/03f6fc69/attachment.pgp
More information about the freebsd-gnome
mailing list