Xscreensaver not working since latest patch

  • Open
  • quality assurance status badge
Details
3 participants
  • Rick Huijzer
  • Ludovic Courtès
  • Roman Scherer
Owner
unassigned
Submitted by
Rick Huijzer
Severity
normal
R
R
Rick Huijzer wrote on 9 Aug 2022 10:04
(address . bug-guix@gnu.org)
CAGXOz9a6Kq5e69cwsHwDcDVvk1+_FMZPQN9A7kGs5F3iqbTApg@mail.gmail.com
Hi,

The latest xscreensaver patch https://issues.guix.gnu.org/56597 rendered
xscreensaver unusable on my systems. When I try to unlock my screen I am
greeted with the message 'xscreensaver: don't login as root', even though I
don't invoke it as root.


$xscreensaver-command -lock
Aug 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22:
1: running as root: not launching hacks.
Aug 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking
Aug 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32:
0: running as root: not launching hacks.

When I remove the
(screen-locker-service xscreensaver)
I run into all kinds of set-uid problems.

I will happily provide more information if needed.

--
Met vriendelijke groet,

Rick Huijzer
Attachment: file
L
L
Ludovic Courtès wrote on 9 Aug 2022 23:30
(name . Rick Huijzer)(address . ikbenrickhuyzer@gmail.com)
87zggd14vh.fsf@gnu.org
Hi Rick,

Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:

Toggle quote (17 lines)
> The latest xscreensaver patch https://issues.guix.gnu.org/56597 rendered
> xscreensaver unusable on my systems. When I try to unlock my screen I am
> greeted with the message 'xscreensaver: don't login as root', even though I
> don't invoke it as root.
>
>
> $xscreensaver-command -lock
> Aug 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22:
> 1: running as root: not launching hacks.
> Aug 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking
> Aug 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32:
> 0: running as root: not launching hacks.
>
> When I remove the
> (screen-locker-service xscreensaver)
> I run into all kinds of set-uid problems.

Sorry about that, I built it during review but did not actually run it.

One effect of ‘screen-locker-service’ is to make the program setuid-root
so that it can authenticate users. It would seem that something changed
in xscreensaver in that area; quoth ‘driver/subprocs.c’:

Toggle snippet (13 lines)
if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
/* Prior to XScreenSaver 6, if running as root, we would change the
effective uid to the user "nobody" or "daemon" or "noaccess",
but even that was just encouraging bad behavior. Don't log in
as root. */
{
fprintf (stderr, "%s: %d: running as root: not launching hacks.\n",
blurb(), ssi->number);
screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as root.");
goto DONE;
}

OTOH the ‘disavow_privileges’ function is supposed to drop root
privileges early on.

So I’m not sure how it’s supposed to be run. R0man, ideas?

Thanks,
Ludo’.
R
R
Roman Scherer wrote on 10 Aug 2022 08:37
(name . Ludovic Courtès)(address . ludo@gnu.org)
87bksstvs0.fsf@burningswell.com
Hi Ludo and Rick,

sorry for the trouble. I'm running xscreensaver on a foreign distro and
did not notice this. Probably because somehow my screen wasn't locked,
but still showing random screensavers.

However, now that I tried the `xscreensaver-command -lock` command I see
a dialog with a "Password initialization failed" message.

The xscreensave logs also show this:

xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission denied
xscreensaver-auth: 06:45:55: To prevent the kernel from randomly unlocking
xscreensaver-auth: 06:45:55: your screen via the out-of-memory killer,
xscreensaver-auth: 06:45:55: "xscreensaver-auth" must be setuid root.
xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does not exist.
xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to work.
xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does not exist.
xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to work.

When the dialog popped up, I had to switch to a terminal and kill
xscreensaver to be able to access my desktop again.

Should we revert it, until we figured out what's necesarry to get this
working again?

r0man

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (46 lines)
> Hi Rick,
>
> Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:
>
>> The latest xscreensaver patch <https://issues.guix.gnu.org/56597> rendered
>> xscreensaver unusable on my systems. When I try to unlock my screen I am
>> greeted with the message 'xscreensaver: don't login as root', even though I
>> don't invoke it as root.
>>
>>
>> $xscreensaver-command -lock
>> Aug 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22:
>> 1: running as root: not launching hacks.
>> Aug 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking
>> Aug 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32:
>> 0: running as root: not launching hacks.
>>
>> When I remove the
>> (screen-locker-service xscreensaver)
>> I run into all kinds of set-uid problems.
>
> Sorry about that, I built it during review but did not actually run it.
>
> One effect of ‘screen-locker-service’ is to make the program setuid-root
> so that it can authenticate users. It would seem that something changed
> in xscreensaver in that area; quoth ‘driver/subprocs.c’:
>
> if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
> /* Prior to XScreenSaver 6, if running as root, we would change the
> effective uid to the user "nobody" or "daemon" or "noaccess",
> but even that was just encouraging bad behavior. Don't log in
> as root. */
> {
> fprintf (stderr, "%s: %d: running as root: not launching hacks.\n",
> blurb(), ssi->number);
> screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as root.");
> goto DONE;
> }
>
> OTOH the ‘disavow_privileges’ function is supposed to drop root
> privileges early on.
>
> So I’m not sure how it’s supposed to be run. R0man, ideas?
>
> Thanks,
> Ludo’.
-----BEGIN PGP SIGNATURE-----

iQFTBAEBCAA9FiEE0iajOdjfRIFd3gygPdpSUn0qwZkFAmLzWt8fHHJvbWFuLnNj
aGVyZXJAYnVybmluZ3N3ZWxsLmNvbQAKCRA92lJSfSrBmaSOB/9u9HaRe7vhzC6K
KYg64KiAb6+kr1f2HD5Xmxe9q7ZTGJwgwkzAe/PvcYbhKHnDIxYOUwVthNvuDIPC
hyPnFepXstTGRvfwCIofm5EGWgosnRGQdbOIXHolPieX2uvTUw6ak16mwcgIH/3Y
l3BGLsR5qJjIvGfOATgUbSGRHV+/qzo5bnADUb65LDUH19BNQ/TYAQp4zy+NK1RN
xM3yD7qP7mYdkG21iv+6IbkGoujY9Y80IYOpdSISgmibPuQvnQxR9oh3/7aaEGuY
RtDvq/7CQF1aekfD2nxFpulYliE2j4f6Wa0N32EGuNk3xuO+LoeMgYQkCP8ioeEC
F79jnFLw
=u4Rj
-----END PGP SIGNATURE-----

R
R
Rick Huijzer wrote on 10 Aug 2022 13:54
CAGXOz9ZS2NuT61vDZyn-hWLWDBOROOptG6tK+iaNkxzS5UFMuw@mail.gmail.com
Hi Roman and Ludo,

It seems that xscreensaver-auth needs to be setuid instead of the main
xscreensaver binary. The screen-locker-service in xorg.scm sets the
provided package setuid and sets the required pam configuration for the
provided package. The problem is that the pam configuration needs to be set
for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for
xscreensaver-auth.

Interestingly when I setuid xscreensaver-auth manually I run into the
following when unlocking:
Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown
Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user
(rhuijzer)
Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth):
authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=
user=rhuijzer

But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path
to unix_chkpwd helper https://issues.guix.gnu.org/53468.

I don't know how to fix this elegantly, maybe create a dedicated service
for xscreensaver instead of the standard screen-locker-service?

Thanks,

Op wo 10 aug. 2022 om 09:14 schreef Roman Scherer <
roman.scherer@burningswell.com>:

Toggle quote (94 lines)
>
> Hi Ludo and Rick,
>
> sorry for the trouble. I'm running xscreensaver on a foreign distro and
> did not notice this. Probably because somehow my screen wasn't locked,
> but still showing random screensavers.
>
> However, now that I tried the `xscreensaver-command -lock` command I see
> a dialog with a "Password initialization failed" message.
>
> The xscreensave logs also show this:
>
> xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission
> denied
> xscreensaver-auth: 06:45:55: To prevent the kernel from randomly
> unlocking
> xscreensaver-auth: 06:45:55: your screen via the out-of-memory killer,
> xscreensaver-auth: 06:45:55: "xscreensaver-auth" must be setuid root.
> xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does
> not exist.
> xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to
> work.
> xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does
> not exist.
> xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to
> work.
>
> When the dialog popped up, I had to switch to a terminal and kill
> xscreensaver to be able to access my desktop again.
>
> Should we revert it, until we figured out what's necesarry to get this
> working again?
>
> r0man
>
> Ludovic Courtès <ludo@gnu.org> writes:
>
> > Hi Rick,
> >
> > Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:
> >
> >> The latest xscreensaver patch <https://issues.guix.gnu.org/56597>
> rendered
> >> xscreensaver unusable on my systems. When I try to unlock my screen I am
> >> greeted with the message 'xscreensaver: don't login as root', even
> though I
> >> don't invoke it as root.
> >>
> >>
> >> $xscreensaver-command -lock
> >> Aug 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx:
> 08:45:22:
> >> 1: running as root: not launching hacks.
> >> Aug 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command:
> locking
> >> Aug 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx:
> 09:10:32:
> >> 0: running as root: not launching hacks.
> >>
> >> When I remove the
> >> (screen-locker-service xscreensaver)
> >> I run into all kinds of set-uid problems.
> >
> > Sorry about that, I built it during review but did not actually run it.
> >
> > One effect of ‘screen-locker-service’ is to make the program setuid-root
> > so that it can authenticate users. It would seem that something changed
> > in xscreensaver in that area; quoth ‘driver/subprocs.c’:
> >
> > if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
> > /* Prior to XScreenSaver 6, if running as root, we would change
> the
> > effective uid to the user "nobody" or "daemon" or "noaccess",
> > but even that was just encouraging bad behavior. Don't log in
> > as root. */
> > {
> > fprintf (stderr, "%s: %d: running as root: not launching
> hacks.\n",
> > blurb(), ssi->number);
> > screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as
> root.");
> > goto DONE;
> > }
> >
> > OTOH the ‘disavow_privileges’ function is supposed to drop root
> > privileges early on.
> >
> > So I’m not sure how it’s supposed to be run. R0man, ideas?
> >
> > Thanks,
> > Ludo’.
>


--
Met vriendelijke groet,

Rick Huijzer
Attachment: file
L
L
Ludovic Courtès wrote on 11 Aug 2022 15:59
(name . Rick Huijzer)(address . ikbenrickhuyzer@gmail.com)
87v8qyubie.fsf@gnu.org
Hi Rick & Roman,

Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:

Toggle quote (22 lines)
> It seems that xscreensaver-auth needs to be setuid instead of the main
> xscreensaver binary. The screen-locker-service in xorg.scm sets the
> provided package setuid and sets the required pam configuration for the
> provided package. The problem is that the pam configuration needs to be set
> for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for
> xscreensaver-auth.
>
> Interestingly when I setuid xscreensaver-auth manually I run into the
> following when unlocking:
> Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown
> Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user
> (rhuijzer)
> Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth):
> authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=
> user=rhuijzer
>
> But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path
> to unix_chkpwd helper <https://issues.guix.gnu.org/53468>.
>
> I don't know how to fix this elegantly, maybe create a dedicated service
> for xscreensaver instead of the standard screen-locker-service?

Yes, either that or a special case in ‘screen-locker-service’.

Could you give it a try?

Unfortunately I’m going to be away from keyboard for a bit; please do
ping here and/or on IRC if you don’t get a timely reply.

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 29 Aug 2022 15:22
(name . Rick Huijzer)(address . ikbenrickhuyzer@gmail.com)
87a67n6v6n.fsf@gnu.org
Heya,

Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (26 lines)
> Rick Huijzer <ikbenrickhuyzer@gmail.com> skribis:
>
>> It seems that xscreensaver-auth needs to be setuid instead of the main
>> xscreensaver binary. The screen-locker-service in xorg.scm sets the
>> provided package setuid and sets the required pam configuration for the
>> provided package. The problem is that the pam configuration needs to be set
>> for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for
>> xscreensaver-auth.
>>
>> Interestingly when I setuid xscreensaver-auth manually I run into the
>> following when unlocking:
>> Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown
>> Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user
>> (rhuijzer)
>> Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth):
>> authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=
>> user=rhuijzer
>>
>> But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path
>> to unix_chkpwd helper <https://issues.guix.gnu.org/53468>.
>>
>> I don't know how to fix this elegantly, maybe create a dedicated service
>> for xscreensaver instead of the standard screen-locker-service?
>
> Yes, either that or a special case in ‘screen-locker-service’.

With the attached patch I can make ‘xscreensaver-auth’ setuid-root
(which is optional: it’s needed to tweak OOM behavior) while keeping the
‘xscreensaver’ PAM entry that’s needed.

However, authentication’s still failing due to ‘unix_chkpwd’ not working
on current ‘master’ where https://issues.guix.gnu.org/53468 is
missing.

Ideas on how to work around that? It’s not clear to me how
‘unix_chkpwd’ ends up being invoked in the first place…

Thanks,
Ludo’.
Attachment: file
?