Received: (at 57071) by debbugs.gnu.org; 10 Aug 2022 12:30:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 10 08:30:43 2022 Received: from localhost ([127.0.0.1]:46759 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1oLkrC-00083C-VP for submit <at> debbugs.gnu.org; Wed, 10 Aug 2022 08:30:43 -0400 Received: from mail-ej1-f47.google.com ([209.85.218.47]:33648) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ikbenrickhuyzer@HIDDEN>) id 1oLkIU-0006mq-AZ for 57071 <at> debbugs.gnu.org; Wed, 10 Aug 2022 07:54:52 -0400 Received: by mail-ej1-f47.google.com with SMTP id uj29so27372179ejc.0 for <57071 <at> debbugs.gnu.org>; Wed, 10 Aug 2022 04:54:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc; bh=hDZCOTv2BfznM9ThgpdVZ+yd+pDuUW4cUZlEa0ErZSk=; b=qYB6EJzRaBnFLulCwOGOhQIiX3XGl0uyoDyRxRQUsSNodYdvVJ3Albty7JZgFJMz28 94wZhcRF7DiyyAzJv3MmSs0gqPokS8exaHQCf1jEMx8Wyhs/p5jY4hWoPgfEMR8bou2V K7p8xaXjcYK5DBRHVwPOCTyKi1E1uySz1EN3kXvzkgJ3ZyMjcK0ouBuh4Y95Bl31KEkf 8PMrRXU6XSdyDI4mgM8D32rzSO4icyY+KPWKlV2ksmdzCtiv4x8aP/zY87rc9JYMaCvm +yEpkd0wLKXpjKnQl3XiOQ4zy8Tdtahlit8lGj/Vbm8bleBh/zrt4VcKE6pnMSwHyIU+ J1UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc; bh=hDZCOTv2BfznM9ThgpdVZ+yd+pDuUW4cUZlEa0ErZSk=; b=4aVIlcAeZjcu9Z1leFqPoQz7KTmm7RPsaSqHgSpjAuEQWiTHhub2DH7Kgn9zkR++zm DGHUtEgxEx/m383s1rX/tnF5fBlz9Bl1OSQ3OwkdFovi7VcVOrxW4k7kPbgVRs6huYhs M5JTplUi57OwJEbUZGUHU8pcop1J0EV8HYM2rFkG1Q63EGw1yWO2OFCpi7L29uwhCKM1 B0GrV9R/WZ8wPHBxh4g012SNG4Jnqm9I68Fp+cREpcTTHTPOyxRwJN1VjB+x+eqKHZO2 keLKn2iC0HTwJH6hkGUusz39cbA3ENqszVNVnniPruvJGqJjNpXPLkGxKY7OXAJVfklz UWpg== X-Gm-Message-State: ACgBeo2koIqOSVOaqdj8kwdm8pYnIDhJa67T2+5tKLmHlzHiS2DLozwM sEJVYFVOCBK/0N5hqHaRe9rTpZbqnkx3IW9SrKM= X-Google-Smtp-Source: AA6agR66r6wuSqKVYHXW+R8LfE9hgk340TKvuzccjH/9K2rcauQdfePNkCf4TwLBZ3z4spESw500OxwToNzTYI4z6Ds= X-Received: by 2002:a17:906:8461:b0:730:a43a:9981 with SMTP id hx1-20020a170906846100b00730a43a9981mr19735301ejc.552.1660132484334; Wed, 10 Aug 2022 04:54:44 -0700 (PDT) MIME-Version: 1.0 References: <CAGXOz9a6Kq5e69cwsHwDcDVvk1+_FMZPQN9A7kGs5F3iqbTApg@HIDDEN> <87zggd14vh.fsf@HIDDEN> <87bksstvs0.fsf@HIDDEN> In-Reply-To: <87bksstvs0.fsf@HIDDEN> From: Rick Huijzer <ikbenrickhuyzer@HIDDEN> Date: Wed, 10 Aug 2022 13:54:33 +0200 Message-ID: <CAGXOz9ZS2NuT61vDZyn-hWLWDBOROOptG6tK+iaNkxzS5UFMuw@HIDDEN> Subject: Re: bug#57071: Xscreensaver not working since latest patch To: Roman Scherer <roman.scherer@HIDDEN>, ludo@HIDDEN, 57071 <at> debbugs.gnu.org Content-Type: multipart/alternative; boundary="00000000000002486005e5e1b735" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 57071 X-Mailman-Approved-At: Wed, 10 Aug 2022 08:30:40 -0400 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --00000000000002486005e5e1b735 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Roman and Ludo, It seems that xscreensaver-auth needs to be setuid instead of the main xscreensaver binary. The screen-locker-service in xorg.scm sets the provided package setuid and sets the required pam configuration for the provided package. The problem is that the pam configuration needs to be set for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for xscreensaver-auth. Interestingly when I setuid xscreensaver-auth manually I run into the following when unlocking: Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user (rhuijzer) Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth): authentication failure; logname=3D uid=3D1000 euid=3D1000 tty=3D:0 ruser=3D= rhost=3D user=3Drhuijzer But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path to unix_chkpwd helper <https://issues.guix.gnu.org/53468>. I don't know how to fix this elegantly, maybe create a dedicated service for xscreensaver instead of the standard screen-locker-service? Thanks, Op wo 10 aug. 2022 om 09:14 schreef Roman Scherer < roman.scherer@HIDDEN>: > > Hi Ludo and Rick, > > sorry for the trouble. I'm running xscreensaver on a foreign distro and > did not notice this. Probably because somehow my screen wasn't locked, > but still showing random screensavers. > > However, now that I tried the `xscreensaver-command -lock` command I see > a dialog with a "Password initialization failed" message. > > The xscreensave logs also show this: > > xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission > denied > xscreensaver-auth: 06:45:55: To prevent the kernel from randomly > unlocking > xscreensaver-auth: 06:45:55: your screen via the out-of-memory killer, > xscreensaver-auth: 06:45:55: "xscreensaver-auth" must be setuid root. > xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does > not exist. > xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to > work. > xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does > not exist. > xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to > work. > > When the dialog popped up, I had to switch to a terminal and kill > xscreensaver to be able to access my desktop again. > > Should we revert it, until we figured out what's necesarry to get this > working again? > > r0man > > Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > > > Hi Rick, > > > > Rick Huijzer <ikbenrickhuyzer@HIDDEN> skribis: > > > >> The latest xscreensaver patch <https://issues.guix.gnu.org/56597> > rendered > >> xscreensaver unusable on my systems. When I try to unlock my screen I = am > >> greeted with the message 'xscreensaver: don't login as root', even > though I > >> don't invoke it as root. > >> > >> > >> $xscreensaver-command -lock > >> Aug 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: > 08:45:22: > >> 1: running as root: not launching hacks. > >> Aug 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: > locking > >> Aug 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: > 09:10:32: > >> 0: running as root: not launching hacks. > >> > >> When I remove the > >> (screen-locker-service xscreensaver) > >> I run into all kinds of set-uid problems. > > > > Sorry about that, I built it during review but did not actually run it. > > > > One effect of =E2=80=98screen-locker-service=E2=80=99 is to make the pr= ogram setuid-root > > so that it can authenticate users. It would seem that something change= d > > in xscreensaver in that area; quoth =E2=80=98driver/subprocs.c=E2=80=99= : > > > > if (getuid() =3D=3D (uid_t) 0 || geteuid() =3D=3D (uid_t) 0) > > /* Prior to XScreenSaver 6, if running as root, we would change > the > > effective uid to the user "nobody" or "daemon" or "noaccess"= , > > but even that was just encouraging bad behavior. Don't log = in > > as root. */ > > { > > fprintf (stderr, "%s: %d: running as root: not launching > hacks.\n", > > blurb(), ssi->number); > > screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as > root."); > > goto DONE; > > } > > > > OTOH the =E2=80=98disavow_privileges=E2=80=99 function is supposed to d= rop root > > privileges early on. > > > > So I=E2=80=99m not sure how it=E2=80=99s supposed to be run. R0man, id= eas? > > > > Thanks, > > Ludo=E2=80=99. > --=20 Met vriendelijke groet, Rick Huijzer --00000000000002486005e5e1b735 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Hi Roman and Ludo,<div><div><br></div><div>It seems that x= screensaver-auth needs to be setuid instead of the main xscreensaver binary= . The screen-locker-service in xorg.scm sets the provided package setuid an= d sets the required pam configuration for the provided package. The problem= is that the pam configuration needs to be set for xscreensaver (/etc/pam.d= /xscreensaver) and setuid needs to be set for xscreensaver-auth.=C2=A0</div= ><div><br></div><div>Interestingly when I setuid xscreensaver-auth manually= I run into the following when unlocking:</div><div>Aug 10 13:35:02 localho= st unix_chkpwd[2197]: check pass; user unknown<br>Aug 10 13:35:02 localhost= unix_chkpwd[2197]: password check failed for user (rhuijzer)<br>Aug 10 13:= 35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth): authenticat= ion failure; logname=3D uid=3D1000 euid=3D1000 tty=3D:0 ruser=3D rhost=3D = =C2=A0user=3Drhuijzer<br></div><div><br></div><div>But this=C2=A0might=C2= =A0be fixed in time by <a href=3D"https://issues.guix.gnu.org/53468">[RFC P= ATCH] gnu: linux-pam: Change path to unix_chkpwd helper</a>.=C2=A0</div><di= v><br></div><div>I don't know how to fix this elegantly, maybe create a= dedicated service for xscreensaver instead of=C2=A0the standard screen-loc= ker-service?=C2=A0</div><div><br></div><div>Thanks,</div><br><div class=3D"= gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Op wo 10 aug. 2022 om 09= :14 schreef Roman Scherer <<a href=3D"mailto:roman.scherer@burningswell.= com" target=3D"_blank">roman.scherer@HIDDEN</a>>:<br></div><bl= ockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-lef= t:1px solid rgb(204,204,204);padding-left:1ex"><br> Hi Ludo and Rick,<br> <br> sorry for the trouble. I'm running xscreensaver on a foreign distro and= <br> did not notice this. Probably because somehow my screen wasn't locked,<= br> but still showing random screensavers.<br> <br> However, now that I tried the `xscreensaver-command -lock` command I see<br= > a dialog with a "Password initialization failed" message.<br> <br> The xscreensave logs also show this:<br> <br> xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission den= ied<br> xscreensaver-auth: 06:45:55:=C2=A0 =C2=A0To prevent the kernel from randoml= y unlocking<br> xscreensaver-auth: 06:45:55:=C2=A0 =C2=A0your screen via the out-of-memory = killer,<br> xscreensaver-auth: 06:45:55:=C2=A0 =C2=A0"xscreensaver-auth" must= be setuid root.<br> xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does not= exist.<br> xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to wo= rk.<br> xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does not= exist.<br> xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to wo= rk.<br> <br> When the dialog popped up, I had to switch to a terminal and kill<br> xscreensaver to be able to access my desktop again.<br> <br> Should we revert it, until we figured out what's necesarry to get this<= br> working again?<br> <br> r0man<br> <br> Ludovic Court=C3=A8s <<a href=3D"mailto:ludo@HIDDEN" target=3D"_blank">= ludo@HIDDEN</a>> writes:<br> <br> > Hi Rick,<br> ><br> > Rick Huijzer <<a href=3D"mailto:ikbenrickhuyzer@HIDDEN" target= =3D"_blank">ikbenrickhuyzer@HIDDEN</a>> skribis:<br> ><br> >> The latest xscreensaver patch <<a href=3D"https://issues.guix.g= nu.org/56597" rel=3D"noreferrer" target=3D"_blank">https://issues.guix.gnu.= org/56597</a>> rendered<br> >> xscreensaver unusable on my systems. When I try to unlock my scree= n I am<br> >> greeted with the message 'xscreensaver: don't login as roo= t', even though I<br> >> don't invoke it as root.<br> >><br> >><br> >> $xscreensaver-command -lock<br> >> Aug=C2=A0 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gf= x: 08:45:22:<br> >> 1: running as root: not launching hacks.<br> >> Aug=C2=A0 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-co= mmand: locking<br> >> Aug=C2=A0 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gf= x: 09:10:32:<br> >> 0: running as root: not launching hacks.<br> >><br> >> When I remove the<br> >> (screen-locker-service xscreensaver)<br> >> I run into all kinds of set-uid problems.<br> ><br> > Sorry about that, I built it during review but did not actually run it= .<br> ><br> > One effect of =E2=80=98screen-locker-service=E2=80=99 is to make the p= rogram setuid-root<br> > so that it can authenticate users.=C2=A0 It would seem that something = changed<br> > in xscreensaver in that area; quoth =E2=80=98driver/subprocs.c=E2=80= =99:<br> ><br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0if (getuid() =3D=3D (uid_t) 0 || geteuid() = =3D=3D (uid_t) 0)<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/* Prior to XScreenSaver 6, if runnin= g as root, we would change the<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 effective uid to the user &qu= ot;nobody" or "daemon" or "noaccess",<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 but even that was just encour= aging bad behavior.=C2=A0 Don't log in<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 as root. */<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0{<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0fprintf (stderr, "%s: %d:= running as root: not launching hacks.\n",<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 b= lurb(), ssi->number);<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0screenhack_obituary (ssi, &quo= t;", "XScreenSaver: Don't log in as root.");<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0goto DONE;<br> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}<br> ><br> > OTOH the =E2=80=98disavow_privileges=E2=80=99 function is supposed to = drop root<br> > privileges early on.<br> ><br> > So I=E2=80=99m not sure how it=E2=80=99s supposed to be run.=C2=A0 R0m= an, ideas?<br> ><br> > Thanks,<br> > Ludo=E2=80=99.<br> </blockquote></div></div></div><br clear=3D"all"><div><br></div>-- <br><div= dir=3D"ltr"><div dir=3D"ltr"><div><div dir=3D"ltr">Met vriendelijke groet,= <div><br></div><div>Rick Huijzer</div><div><br></div></div></div></div></di= v> --00000000000002486005e5e1b735--
bug-guix@HIDDEN
:bug#57071
; Package guix
.
Full text available.Received: (at 57071) by debbugs.gnu.org; 10 Aug 2022 07:14:53 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 10 03:14:53 2022 Received: from localhost ([127.0.0.1]:45851 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1oLfvZ-0005bg-Eu for submit <at> debbugs.gnu.org; Wed, 10 Aug 2022 03:14:53 -0400 Received: from mail-ed1-f47.google.com ([209.85.208.47]:37555) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <roman.scherer@HIDDEN>) id 1oLfvU-0005bP-H6 for 57071 <at> debbugs.gnu.org; Wed, 10 Aug 2022 03:14:52 -0400 Received: by mail-ed1-f47.google.com with SMTP id b16so17897721edd.4 for <57071 <at> debbugs.gnu.org>; Wed, 10 Aug 2022 00:14:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20210112.gappssmtp.com; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:from:to:cc; bh=BZo3zzYEVsOvIYaT2ynHbmk4UtUudybjQgy92XDhoXY=; b=QTUMu8WzomYDLihtWEDHKVmFSNYhBTLHuAxnv3dz6UoSW9pbV+Zh2CgJIDhuZW7tLw Lsm1r7zwWEnB/Ii6gMfo0sL3CgzjHAUO+zympzkNEF0xKA/mkZ4p7E4HgAgtYglwl7bU nWI8anOkGOcXs3YVioVY+dsMoHNtwuQibLxBjVECJc3KgkTHNNNMxGjPy3tjmsdlDsx+ AjqFX3aDIW1dDIFqNgDpFKigIAPxEhZ+bv1RSRgAeZj6aIwbwjN+ZXQd2hlYVwEbYCgC FnOmCKI1vm6AC7MZgfKLL8G37zPj+bSAY0yGn3EU9GbTFG1OI/SiOIsR1PompVwYVgrD 48HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:x-gm-message-state:from:to:cc; bh=BZo3zzYEVsOvIYaT2ynHbmk4UtUudybjQgy92XDhoXY=; b=XJo2PA9pUaAumqV2X/osIuIsRJv0H+bn6zDhLsFTxkkLqNAOLeqJ4tfHo/NMKI2jBk W9fbBB3iCTSLKFKES/ukjtfm6LmgAbY9s2ahrHstX9RjADWlfWfVC3Xg6IUfMxXjupbK lLrDn0L4gOC4Q96BI07uFdI3XPtq3Mz7ASTXMTpXANL/Up0nXy/0T3a/JwnEspygZeH9 exU3zOXcdEGxECeeAilHK4Jx+tAxxHn0F3GXsxnxP2rkfKwZ5cLsUulbYKY+rT8Agcw5 MutQv4P6UoLgbOcLjeRDrQtpU9gqN7kGPmRHpfg6ll3SaTW1UBPHi4IM9rhjZDQdqwt0 fbxg== X-Gm-Message-State: ACgBeo0m5/deqEElIQLm/BaSGrY1IYUMxbBQ/2zrt8kvs359JGmNlW8Z ek6k7Znh1SBwTemEhLBF5EcJJDRjyj96yVbC X-Google-Smtp-Source: AA6agR516jFqXdF5BMNu6CktZTojFmdksi+NoCFyr9kFKy6mrOhbfclDN2GzwM8ltPhn40DLxdqjPw== X-Received: by 2002:a05:6402:1159:b0:43b:bc82:5ddb with SMTP id g25-20020a056402115900b0043bbc825ddbmr25056105edw.355.1660115682264; Wed, 10 Aug 2022 00:14:42 -0700 (PDT) Received: from precision (tmo-116-169.customers.d1-online.com. [80.187.116.169]) by smtp.gmail.com with ESMTPSA id b16-20020aa7c6d0000000b0043bb8023caesm7115463eds.62.2022.08.10.00.14.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Aug 2022 00:14:41 -0700 (PDT) References: <CAGXOz9a6Kq5e69cwsHwDcDVvk1+_FMZPQN9A7kGs5F3iqbTApg@HIDDEN> <87zggd14vh.fsf@HIDDEN> User-agent: mu4e 1.8.7; emacs 28.1 From: Roman Scherer <roman.scherer@HIDDEN> To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: bug#57071: Xscreensaver not working since latest patch Date: Wed, 10 Aug 2022 06:37:47 +0000 In-reply-to: <87zggd14vh.fsf@HIDDEN> Message-ID: <87bksstvs0.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 57071 Cc: 57071 <at> debbugs.gnu.org, Rick Huijzer <ikbenrickhuyzer@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Ludo and Rick, sorry for the trouble. I'm running xscreensaver on a foreign distro and did not notice this. Probably because somehow my screen wasn't locked, but still showing random screensavers. However, now that I tried the `xscreensaver-command -lock` command I see a dialog with a "Password initialization failed" message. The xscreensave logs also show this: xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission den= ied xscreensaver-auth: 06:45:55: To prevent the kernel from randomly unlocking xscreensaver-auth: 06:45:55: your screen via the out-of-memory killer, xscreensaver-auth: 06:45:55: "xscreensaver-auth" must be setuid root. xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does not= exist. xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to wo= rk. xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does not= exist. xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to wo= rk. When the dialog popped up, I had to switch to a terminal and kill xscreensaver to be able to access my desktop again. Should we revert it, until we figured out what's necesarry to get this working again? r0man Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > Hi Rick, > > Rick Huijzer <ikbenrickhuyzer@HIDDEN> skribis: > >> The latest xscreensaver patch <https://issues.guix.gnu.org/56597> render= ed >> xscreensaver unusable on my systems. When I try to unlock my screen I am >> greeted with the message 'xscreensaver: don't login as root', even thoug= h I >> don't invoke it as root. >> >> >> $xscreensaver-command -lock >> Aug 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22: >> 1: running as root: not launching hacks. >> Aug 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: lock= ing >> Aug 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32: >> 0: running as root: not launching hacks. >> >> When I remove the >> (screen-locker-service xscreensaver) >> I run into all kinds of set-uid problems. > > Sorry about that, I built it during review but did not actually run it. > > One effect of =E2=80=98screen-locker-service=E2=80=99 is to make the prog= ram setuid-root > so that it can authenticate users. It would seem that something changed > in xscreensaver in that area; quoth =E2=80=98driver/subprocs.c=E2=80=99: > > if (getuid() =3D=3D (uid_t) 0 || geteuid() =3D=3D (uid_t) 0) > /* Prior to XScreenSaver 6, if running as root, we would change t= he > effective uid to the user "nobody" or "daemon" or "noaccess", > but even that was just encouraging bad behavior. Don't log in > as root. */ > { > fprintf (stderr, "%s: %d: running as root: not launching hacks.= \n", > blurb(), ssi->number); > screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as ro= ot."); > goto DONE; > } > > OTOH the =E2=80=98disavow_privileges=E2=80=99 function is supposed to dro= p root > privileges early on. > > So I=E2=80=99m not sure how it=E2=80=99s supposed to be run. R0man, idea= s? > > Thanks, > Ludo=E2=80=99. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFTBAEBCAA9FiEE0iajOdjfRIFd3gygPdpSUn0qwZkFAmLzWt8fHHJvbWFuLnNj aGVyZXJAYnVybmluZ3N3ZWxsLmNvbQAKCRA92lJSfSrBmaSOB/9u9HaRe7vhzC6K KYg64KiAb6+kr1f2HD5Xmxe9q7ZTGJwgwkzAe/PvcYbhKHnDIxYOUwVthNvuDIPC hyPnFepXstTGRvfwCIofm5EGWgosnRGQdbOIXHolPieX2uvTUw6ak16mwcgIH/3Y l3BGLsR5qJjIvGfOATgUbSGRHV+/qzo5bnADUb65LDUH19BNQ/TYAQp4zy+NK1RN xM3yD7qP7mYdkG21iv+6IbkGoujY9Y80IYOpdSISgmibPuQvnQxR9oh3/7aaEGuY RtDvq/7CQF1aekfD2nxFpulYliE2j4f6Wa0N32EGuNk3xuO+LoeMgYQkCP8ioeEC F79jnFLw =u4Rj -----END PGP SIGNATURE----- --=-=-=--
bug-guix@HIDDEN
:bug#57071
; Package guix
.
Full text available.Received: (at 57071) by debbugs.gnu.org; 9 Aug 2022 21:31:09 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Aug 09 17:31:09 2022 Received: from localhost ([127.0.0.1]:45328 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1oLWof-0002VC-23 for submit <at> debbugs.gnu.org; Tue, 09 Aug 2022 17:31:09 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56784) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1oLWod-0002Ur-Fm for 57071 <at> debbugs.gnu.org; Tue, 09 Aug 2022 17:31:07 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47632) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1oLWoY-0001od-20; Tue, 09 Aug 2022 17:31:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=hEjpbY8zv2PmpU8WUZfxS+2BjvT9JJyrK5qVFRbKFWc=; b=eWLatwZSXh/7mvaECucM GxYcEV5P8rl8Y/hSlWqH5LnfLfJ5Oogq1b47XC/fxSt4kMJ5liUlzvjST7ublAsxKvp3eSMvwOj5J O2Tbdn5qW0AQSwiesaRfkSbSc3+fdvCa1isyl1pEVelsj5qYXD0AM1c0JOCvD5ubfdc2IIZww3/83 AlZDpkbpE6sQ4LYb0tqh+eRpPWhdrKRsgHefV5AEijIgrWD4aCIfvnxov/VgYOgsaTPEPj6djKges FZSBf/9p8noDqQKxKgl7rN76hSymtaqB1gjWRieH5gJZRJMpbBZic3r07M693vkI/ZbnImxktosvI rf9XjQ9WUUPb9A==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:60821 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1oLWoW-0005lg-HG; Tue, 09 Aug 2022 17:31:01 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Rick Huijzer <ikbenrickhuyzer@HIDDEN> Subject: Re: bug#57071: Xscreensaver not working since latest patch References: <CAGXOz9a6Kq5e69cwsHwDcDVvk1+_FMZPQN9A7kGs5F3iqbTApg@HIDDEN> Date: Tue, 09 Aug 2022 23:30:58 +0200 In-Reply-To: <CAGXOz9a6Kq5e69cwsHwDcDVvk1+_FMZPQN9A7kGs5F3iqbTApg@HIDDEN> (Rick Huijzer's message of "Tue, 9 Aug 2022 10:04:17 +0200") Message-ID: <87zggd14vh.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 57071 Cc: r0man <roman@HIDDEN>, 57071 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi Rick, Rick Huijzer <ikbenrickhuyzer@HIDDEN> skribis: > The latest xscreensaver patch <https://issues.guix.gnu.org/56597> rendered > xscreensaver unusable on my systems. When I try to unlock my screen I am > greeted with the message 'xscreensaver: don't login as root', even though= I > don't invoke it as root. > > > $xscreensaver-command -lock > Aug 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22: > 1: running as root: not launching hacks. > Aug 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locki= ng > Aug 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32: > 0: running as root: not launching hacks. > > When I remove the > (screen-locker-service xscreensaver) > I run into all kinds of set-uid problems. Sorry about that, I built it during review but did not actually run it. One effect of =E2=80=98screen-locker-service=E2=80=99 is to make the progra= m setuid-root so that it can authenticate users. It would seem that something changed in xscreensaver in that area; quoth =E2=80=98driver/subprocs.c=E2=80=99: --8<---------------cut here---------------start------------->8--- if (getuid() =3D=3D (uid_t) 0 || geteuid() =3D=3D (uid_t) 0) /* Prior to XScreenSaver 6, if running as root, we would change the effective uid to the user "nobody" or "daemon" or "noaccess", but even that was just encouraging bad behavior. Don't log in as root. */ { fprintf (stderr, "%s: %d: running as root: not launching hacks.\n= ", blurb(), ssi->number); screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as root= ."); goto DONE; } --8<---------------cut here---------------end--------------->8--- OTOH the =E2=80=98disavow_privileges=E2=80=99 function is supposed to drop = root privileges early on. So I=E2=80=99m not sure how it=E2=80=99s supposed to be run. R0man, ideas? Thanks, Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#57071
; Package guix
.
Full text available.Received: (at submit) by debbugs.gnu.org; 9 Aug 2022 10:28:00 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Aug 09 06:28:00 2022 Received: from localhost ([127.0.0.1]:42618 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1oLMSt-0006Uh-C6 for submit <at> debbugs.gnu.org; Tue, 09 Aug 2022 06:28:00 -0400 Received: from lists.gnu.org ([209.51.188.17]:41936) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ikbenrickhuyzer@HIDDEN>) id 1oLKEH-0000Z9-2g for submit <at> debbugs.gnu.org; Tue, 09 Aug 2022 04:04:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51038) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ikbenrickhuyzer@HIDDEN>) id 1oLKEE-0005Yg-Va for bug-guix@HIDDEN; Tue, 09 Aug 2022 04:04:44 -0400 Received: from mail-ej1-x629.google.com ([2a00:1450:4864:20::629]:35787) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <ikbenrickhuyzer@HIDDEN>) id 1oLKEA-0003zq-JQ for bug-guix@HIDDEN; Tue, 09 Aug 2022 04:04:42 -0400 Received: by mail-ej1-x629.google.com with SMTP id a7so20861657ejp.2 for <bug-guix@HIDDEN>; Tue, 09 Aug 2022 01:04:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc; bh=JJB6qutlG1s1+XNJwjY8lbiSMfCLJUtQxW5/PCaPA3E=; b=D76fsGTNJcWuKjayxKZpn19zzcKSgJPX5yP4kJBn3Pj6pr8KZDXKtp8ftXZhUgPzSl N3Fb9tfh9GoL+hgqMwhWIGiRCvg8pJkrzAHhmtyzNCZgNGqWw2eUF9ciJKz+fPEcgph1 LBKyzmAVBY5id0m89bRV5PLoOe1h96FRjOFV3iYUUz8/2TF/2aGd6doCAHw7zkCj4+l/ tDEFBmqQ2p3Rmef/pGdoDZaheV1jJIox25Sepk97ilYSmf0BQIRPH5McUXEZCRaYtvT0 Pf5e0c3pzGa2icJEYG5XYg8W0rlsCjXNxcm24DVqzIsxP2isWgaC39s7hm3AREam60dx 7WWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc; bh=JJB6qutlG1s1+XNJwjY8lbiSMfCLJUtQxW5/PCaPA3E=; b=VbBsAPZ2/qqnoZK1z741M2FR6uDTXRdfwQgU1gxgYtKvRh9w2kNqm+cTomXhB7Dety H3vK9kUVcklh8xvcfHcZNqf61sKtf8MZWIgJtat2PZ4XLXAX2SgFwbN08lvo8tRb6T6f OtekqYu4D+2dMWfaADqnmm5eckv4URcKEDTdXnJff+Dtnc0cm1CgevseJsQFrti83qLU B40PXH3FxSQjHBKiJvUZ92D+q6WyXCSYjQxrjUW+sC3X8PuK8Xahu58J3rqGZs40Jimc IsDMcKWrFeugX1hDxA2+MT90YJX1APdT9HbCAWcHwzBIPDtTQrA7+XHj9NHIfHbrCNxU m5lQ== X-Gm-Message-State: ACgBeo1R3NVyNOtDwt6u/mmjU/bzh0Q64Rm+UrOTwCmNCob4X642Vnmy U6SP5l5f5A9rD4cOhJTFWwZfjT8hn1ml2ucF2aOS8WJI X-Google-Smtp-Source: AA6agR711ypRAn4vQRaaX3GVDsM1VkmXGGRKF/tqucwv049xXKZynQ+MQlMPQdzA9eKHJE36i4C5ueH44ZR3XILmQ+g= X-Received: by 2002:a17:906:ef8c:b0:730:e4e0:1f69 with SMTP id ze12-20020a170906ef8c00b00730e4e01f69mr14887129ejb.113.1660032268225; Tue, 09 Aug 2022 01:04:28 -0700 (PDT) MIME-Version: 1.0 From: Rick Huijzer <ikbenrickhuyzer@HIDDEN> Date: Tue, 9 Aug 2022 10:04:17 +0200 Message-ID: <CAGXOz9a6Kq5e69cwsHwDcDVvk1+_FMZPQN9A7kGs5F3iqbTApg@HIDDEN> Subject: Xscreensaver not working since latest patch To: bug-guix@HIDDEN Content-Type: multipart/alternative; boundary="000000000000a9d40205e5ca615f" Received-SPF: pass client-ip=2a00:1450:4864:20::629; envelope-from=ikbenrickhuyzer@HIDDEN; helo=mail-ej1-x629.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Tue, 09 Aug 2022 06:27:56 -0400 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --000000000000a9d40205e5ca615f Content-Type: text/plain; charset="UTF-8" Hi, The latest xscreensaver patch <https://issues.guix.gnu.org/56597> rendered xscreensaver unusable on my systems. When I try to unlock my screen I am greeted with the message 'xscreensaver: don't login as root', even though I don't invoke it as root. $xscreensaver-command -lock Aug 9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22: 1: running as root: not launching hacks. Aug 9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking Aug 9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32: 0: running as root: not launching hacks. When I remove the (screen-locker-service xscreensaver) I run into all kinds of set-uid problems. I will happily provide more information if needed. -- Met vriendelijke groet, Rick Huijzer --000000000000a9d40205e5ca615f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Hi,=C2=A0<div><br></div><div>The latest <a href=3D"https:/= /issues.guix.gnu.org/56597" target=3D"_blank">xscreensaver patch</a>=C2=A0r= endered xscreensaver unusable on my systems. When I try to unlock my screen= I am greeted with the message 'xscreensaver: don't login as root&#= 39;, even though I don't invoke it as root.=C2=A0</div><div><br></div><= div><br></div><div>$xscreensaver-command -lock<br></div><div>Aug =C2=A09 08= :45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22: 1: running= as root: not launching hacks.<br>Aug =C2=A09 09:10:29 localhost shepherd[1= ]: [slim] xscreensaver-command: locking<br><div>Aug =C2=A09 09:10:32 localh= ost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32: 0: running as root: not= launching hacks.<br></div><div><br></div><div>When I remove the=C2=A0</div= ><div>(screen-locker-service xscreensaver)<br></div><div>I run into all kin= ds of set-uid problems.=C2=A0</div><div><br></div><div>I will happily=C2=A0= provide more information if needed.</div><div><br></div>-- <br><div dir=3D"= ltr" data-smartmail=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"l= tr">Met vriendelijke groet,<div><br></div><div>Rick Huijzer</div><div><br><= /div></div></div></div></div></div></div> --000000000000a9d40205e5ca615f--
Rick Huijzer <ikbenrickhuyzer@HIDDEN>
:bug-guix@HIDDEN
.
Full text available.bug-guix@HIDDEN
:bug#57071
; Package guix
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.