Bug 252837 - [PATCH] x11/xfce4-screensaver: PAM authentication may not work as intended due to the wrong policy filename
Summary: [PATCH] x11/xfce4-screensaver: PAM authentication may not work as intended du...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-xfce (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-19 21:46 UTC by genneko217
Modified: 2021-01-19 23:07 UTC (History)
1 user (show)

See Also:
madpilot: maintainer-feedback+
madpilot: merge-quarterly+


Attachments
A patch to Makefile (549 bytes, text/plain)
2021-01-19 21:46 UTC, genneko217
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description genneko217 2021-01-19 21:46:49 UTC
Created attachment 221750 [details]
A patch to Makefile

x11/xfce4-screensaver port installs a PAM policy file 'xfce-screensaver'
in /usr/local/etc/pam.d when the PAM option is enabled.

However, the policy is not actually used because of the wrong filename.
The correct filename would be 'xfce4-screensaver' as seen in its source.
${WRKSRC}/src/Makefile.am:
        -DPAM_SERVICE_NAME=\""xfce4-screensaver"\"

In most cases, it does not cause any problem because the catch-all
/etc/pam.d/other policy is used instead.

But, it may cause trouble when you have customized PAM policies
in some ways.

For example, when you have configured pam_krb5 in /etc/pam.d/system
to authenticate users with Active Directory or something like that
and do not set local UNIX passwords for the users, those users cannot
unlock screen with their AD passwords once xfce4-screensaver activates
the screen lock. This is because /usr/local/etc/pam.d/xfce-screensaver
is not loaded thus /etc/pam.d/system which will be included by the former
is also not loaded.

I've found the issue in this particular situation.


HOW TO CONFIRM

Here are the steps I took to confirm which policies are loaded
when I unlock the xfce4-screensaver's screen lock.

1. Install x11/xfce4-screensaver on a cleanly installed desktop system.

2. Add the following lines to the top of the PAM policy files
   in order to log the loaded policy filename.

[/etc/pam.d/system]
auth    optional        pam_exec.so     /usr/bin/logger system

[/etc/pam.d/other]
auth    optional        pam_exec.so     /usr/bin/logger other

[/usr/local/etc/pam.d/xfce-screensaver]
auth    optional        pam_exec.so     /usr/bin/logger xfce-screensaver

3. Monitor /var/log/messages on a local virtual terminal (Ctrl+Shift+Fx)
   or a SSH terminal on another host.

   $ tail -F /var/log/messages

4. On the desktop, lock the screen manually.

   $ xfce4-screensaver-command --lock

5. Unlock the screen by entering the user password.

6. See which PAM policy was loaded.

Jan 19 20:55:28 xrdp genneko[20748]: pam.d/other
Jan 19 20:55:28 xrdp genneko[20749]: pam.d/other

7. Copy the xfce-screensaver to xfce4-screensaver in /usr/local/etc/pam.d
   and edit the previously added line to the new file.

[/usr/local/etc/pam.d/xfce4-screensaver]
auth    optional        pam_exec.so     /usr/bin/logger xfce4-screensaver

8. Lock the screen again.

   $ xfce4-screensaver-command --lock

9. Unlock the screen.

10. See which PAM policy was loaded.

Jan 19 20:57:29 xrdp genneko[20773]: pam.d/xfce4-screensaver
Jan 19 20:57:29 xrdp genneko[20774]: pam.d/system
Jan 19 20:57:29 xrdp genneko[20775]: pam.d/xfce4-screensaver
Jan 19 20:57:29 xrdp genneko[20776]: pam.d/system


ADDITIONAL INFORMATION

I have also used dwatch(1) utility to monitor file opens and
confirm 'xfce4-screensaver' (not 'xfce-screensaver') was opened.

$ sudo dwatch -X open
...
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/xfce4-screensaver
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.conf
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.d/xfce4-screensaver
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.conf
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_exec.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opie.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libopie.so.8
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libopie.so.8
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libmd.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opieaccess.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libutil.so.9
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libcrypt.so.5
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libypclnt.so.4
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libypclnt.so.4
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_nologin.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_login_access.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other
2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6
...
Comment 1 Guido Falsi freebsd_committer 2021-01-19 22:05:40 UTC
Good catch!

Thanks for reporting it.

While I'm at it, I'll also start managing this as a configuration file (which is exactly what it is) adding an @sample directive in the plist.
Comment 2 genneko217 2021-01-19 22:35:31 UTC
(In reply to Guido Falsi from comment #1)

That'll be nicer. Thank you.
Comment 3 Guido Falsi freebsd_committer 2021-01-19 22:41:30 UTC
I'll slightly modify your patch, also renaming the default config in files.

This also requires merging to quarterly.
Comment 4 commit-hook freebsd_committer 2021-01-19 23:05:15 UTC
A commit references this bug:

Author: madpilot
Date: Tue Jan 19 23:04:35 UTC 2021
New revision: 562098
URL: https://svnweb.freebsd.org/changeset/ports/562098

Log:
  - Fix name of PAM policy file, so that it is actually used
  - While here, install PAM policy file using @sample directive, so it
    is managed as a condfiguration file

  PR:		252837
  Submitted by:	genneko217@gmail.com
  MFH:		2021Q1

Changes:
  head/x11/xfce4-screensaver/Makefile
  head/x11/xfce4-screensaver/files/xfce-screensaver.pam
  head/x11/xfce4-screensaver/files/xfce4-screensaver.pam
  head/x11/xfce4-screensaver/pkg-plist
Comment 5 commit-hook freebsd_committer 2021-01-19 23:06:16 UTC
A commit references this bug:

Author: madpilot
Date: Tue Jan 19 23:05:30 UTC 2021
New revision: 562099
URL: https://svnweb.freebsd.org/changeset/ports/562099

Log:
  MFH: r562098

  - Fix name of PAM policy file, so that it is actually used
  - While here, install PAM policy file using @sample directive, so it
    is managed as a condfiguration file

  PR:		252837
  Submitted by:	genneko217@gmail.com

Changes:
_U  branches/2021Q1/
  branches/2021Q1/x11/xfce4-screensaver/Makefile
  branches/2021Q1/x11/xfce4-screensaver/files/xfce-screensaver.pam
  branches/2021Q1/x11/xfce4-screensaver/files/xfce4-screensaver.pam
  branches/2021Q1/x11/xfce4-screensaver/pkg-plist
Comment 6 Guido Falsi freebsd_committer 2021-01-19 23:07:08 UTC
Fix committed and merged.

Thanks!