From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 29 09:22:52 2022 Received: (at 57071) by debbugs.gnu.org; 29 Aug 2022 13:22:52 +0000 Received: from localhost ([127.0.0.1]:60399 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oSej5-0008GK-QK for submit@debbugs.gnu.org; Mon, 29 Aug 2022 09:22:52 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58234) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oSej4-0008Fw-1N for 57071@debbugs.gnu.org; Mon, 29 Aug 2022 09:22:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:54770) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oSeiy-0006l4-54; Mon, 29 Aug 2022 09:22:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=3R5ns5sUKv9Zwkyupm/Cw5pPEtVvc4qzYTEz8936O1M=; b=q9cIi9ZcsXcOTxglTgAe N8vSA8oRDmTzoyetL0aUkwLDu/qpOiBJp0h7FhqJIlFEKuhbYvmtMJvuOivJdJ/VfYxgRMXprmnRH Z8l5Oqhu9FcyCBAIcdkFHvSj+wVxRbBxcpxBnH4Myz/mvOnrDwVK/x3qkD36+EqP0CNJCSSGV5zGZ J8gWNTlo1iRprSYPOB88hn6N+huXv0EaxTApTfdrxWmMNQdqmxBYhCDlSANIYz3DeGyj4vgqY0aaF IToddQ3pbaeLubGaLd5KJCACGJ/sJpx8sRyo8/NYj1vtXGSSbQy8/Y9DAF/dMcC05XnTJe/Sdurvl BTDpoSFuS8e3tA==; Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=45442 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oSeix-0002MO-MZ; Mon, 29 Aug 2022 09:22:43 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Rick Huijzer Subject: Re: bug#57071: Xscreensaver not working since latest patch References: <87zggd14vh.fsf@gnu.org> <87bksstvs0.fsf@burningswell.com> <87v8qyubie.fsf@gnu.org> Date: Mon, 29 Aug 2022 15:22:40 +0200 In-Reply-To: <87v8qyubie.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Thu, 11 Aug 2022 15:59:21 +0200") Message-ID: <87a67n6v6n.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 57071 Cc: 57071@debbugs.gnu.org, Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Heya, Ludovic Court=C3=A8s skribis: > Rick Huijzer skribis: > >> It seems that xscreensaver-auth needs to be setuid instead of the main >> xscreensaver binary. The screen-locker-service in xorg.scm sets the >> provided package setuid and sets the required pam configuration for the >> provided package. The problem is that the pam configuration needs to be = set >> for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for >> xscreensaver-auth. >> >> Interestingly when I setuid xscreensaver-auth manually I run into the >> following when unlocking: >> Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown >> Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for u= ser >> (rhuijzer) >> Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth): >> authentication failure; logname=3D uid=3D1000 euid=3D1000 tty=3D:0 ruser= =3D rhost=3D >> user=3Drhuijzer >> >> But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change pa= th >> to unix_chkpwd helper . >> >> I don't know how to fix this elegantly, maybe create a dedicated service >> for xscreensaver instead of the standard screen-locker-service? > > Yes, either that or a special case in =E2=80=98screen-locker-service=E2= =80=99. With the attached patch I can make =E2=80=98xscreensaver-auth=E2=80=99 setu= id-root (which is optional: it=E2=80=99s needed to tweak OOM behavior) while keepin= g the =E2=80=98xscreensaver=E2=80=99 PAM entry that=E2=80=99s needed. However, authentication=E2=80=99s still failing due to =E2=80=98unix_chkpwd= =E2=80=99 not working on current =E2=80=98master=E2=80=99 where is missing. Ideas on how to work around that? It=E2=80=99s not clear to me how =E2=80=98unix_chkpwd=E2=80=99 ends up being invoked in the first place=E2= =80=A6 Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm index 7be995a438..72698aa28a 100644 --- a/gnu/packages/xdisorg.scm +++ b/gnu/packages/xdisorg.scm @@ -1655,8 +1655,16 @@ (define-public xscreensaver (lambda _ (substitute* '("driver/Makefile.in" "po/Makefile.in.in") (("@GTK_DATADIR@") "@datadir@") - (("@PO_DATADIR@") "@datadir@")) - #t))) + (("@PO_DATADIR@") "@datadir@")))) + (add-before 'configure 'adjust-default-path + (lambda _ + ;; On Guix System, give higher precedence to the setuid-root + ;; 'xscreensaver-auth' program compared to the one that lives= in + ;; $libexecdir. This modifies code in the 'hack_environment' + ;; function, which changes $PATH. + (substitute* "driver/xscreensaver.c" + (("=3D DEFAULT_PATH_PREFIX") + "=3D \"/run/setuid-programs:\" DEFAULT_PATH_PREFIX"))))) #:configure-flags '("--with-pam" =20 ;; Don't check /proc/interrupts in the build @@ -1704,7 +1712,11 @@ (define-public xscreensaver (license (license:non-copyleft (string-append "http://metadata.ftp-master.debian.org/changelogs/" - "/main/x/xscreensaver/xscreensaver_5.36-1_copyright"))))) + "/main/x/xscreensaver/xscreensaver_5.36-1_copyright"))) + (properties + ;; Tell 'screen-locker-service' which program should be setuid-root. + '((screen-locker-setuid-program + . "libexec/xscreensaver/xscreensaver-auth"))))) =20 (define-public xssproxy (package diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 0cbd9aa53b..8f99c0f023 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2017 Andy Wingo -;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Cour= t=C3=A8s +;;; Copyright =C2=A9 2013-2017, 2019-2020, 2022 Ludovic Court=C3=A8s ;;; Copyright =C2=A9 2015 Sou Bunnbu ;;; Copyright =C2=A9 2018, 2019 Timothy Sample ;;; Copyright =C2=A9 2019 Jan (janneke) Nieuwenhuizen @@ -680,12 +680,26 @@ (define slim-service-type ;;; =20 (define-record-type - (screen-locker name program empty?) + (screen-locker name package empty?) screen-locker? (name screen-locker-name) ;string - (program screen-locker-program) ;gexp + (package screen-locker-package) ;file-like (empty? screen-locker-allows-empty-passwords?)) ;Boolean =20 +(define (screen-locker-setuid-program-name locker) + "Return the name of the setuid program of LOCKER. It's usually LOCKER's +name but it might differ in some cases--e.g., 'xscreensaver-auth' for +XScreenSaver." + (let ((package (screen-locker-package locker))) + (or (and (package? package) + (assoc-ref (package-properties package) + 'screen-locker-setuid-program)) + (string-append "bin/" (screen-locker-name locker))))) + +(define (screen-locker-setuid-program locker) + (file-append (screen-locker-package locker) "/" + (screen-locker-setuid-program-name locker))) + (define screen-locker-pam-services (match-lambda (($ name _ empty?) @@ -693,7 +707,16 @@ (define screen-locker-pam-services #:allow-empty-passwords? empty?))))) =20 (define screen-locker-setuid-programs - (compose list file-like->setuid-program screen-locker-program)) + (compose list file-like->setuid-program screen-locker-setuid-program)) + +(define (screen-locker-profile-entries locker) + ;; If LOCKER's program is setuid (e.g., 'slock'), then no need to add it= to + ;; the main profile since it's already in /run/setuid-programs. Otherwi= se + ;; (e.g., 'xscreensaver-auth'), add it to the profile. + (if (string=3D? (screen-locker-setuid-program-name locker) + (string-append "bin/" (screen-locker-name locker))) + '() + (list (screen-locker-package locker)))) =20 (define screen-locker-service-type (service-type (name 'screen-locker) @@ -701,7 +724,9 @@ (define screen-locker-service-type (list (service-extension pam-root-service-type screen-locker-pam-services) (service-extension setuid-program-service-type - screen-locker-setuid-programs))) + screen-locker-setuid-programs) + (service-extension profile-service-type + screen-locker-profile-entries))) (description "Allow the given program to be used as a screen locker for the graphical server by making it setuid-root, so it can authenticate user= s, @@ -721,8 +746,7 @@ (define* (screen-locker-service package =20 makes the good ol' XlockMore usable." (service screen-locker-service-type - (screen-locker program - (file-append package "/bin/" program) + (screen-locker program package allow-empty-passwords?))) =20 diff --git a/gnu/system/examples/lightweight-desktop.tmpl b/gnu/system/exam= ples/lightweight-desktop.tmpl index d4330ecc8e..1ab6ecd4d2 100644 --- a/gnu/system/examples/lightweight-desktop.tmpl +++ b/gnu/system/examples/lightweight-desktop.tmpl @@ -3,9 +3,9 @@ ;; environments. =20 (use-modules (gnu) (gnu system nss)) -(use-service-modules desktop) +(use-service-modules desktop xorg) (use-package-modules bootloaders certs emacs emacs-xyz ratpoison suckless = wm - xorg) + xdisorg xorg) =20 (operating-system (host-name "antelope") @@ -53,7 +53,9 @@ =20 ;; Use the "desktop" services, which include the X11 ;; log-in service, networking with NetworkManager, and more. - (services %desktop-services) + (services (append (list (screen-locker-service slock) + (screen-locker-service xscreensaver)) + %desktop-services)) =20 ;; Allow resolution of '.local' host names with mDNS. (name-service-switch %mdns-host-lookup-nss)) --=-=-=--