Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#50369 - [kscreenlocker] kcheckpass cannot write to /var/log/faillog because it doesn't have setuid

Attached to Project: Arch Linux
Opened by Samantha McVey (samcv) - Friday, 12 August 2016, 09:26 GMT
Last edited by Antonio Rojas (arojas) - Friday, 12 August 2016, 14:00 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Antonio Rojas (arojas)
Felix Yan (felixonmars)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Steps to reproduce:
Start journalctl -f in a terminal. Lock the screen in KDE (Ctrl + Alt + L). Type in an incorrect password. Log in again, and check the journal, you should see:

kcheckpass[10589]: pam_tally(kde:auth): Error opening /var/log/faillog for update
kcheckpass[10589]: pam_tally(kde:auth): Error opening /var/log/faillog for read
kcheckpass[10589]: pam_tally(kde:setcred): Error opening /var/log/faillog for update
kcheckpass[10589]: pam_tally(kde:setcred): Error opening /var/log/faillog for update

If you do chmod +s /usr/lib/kcheckpass, then the error doesn't show and it works correctly.


This task depends upon

Closed by  Antonio Rojas (arojas)
Friday, 12 August 2016, 14:00 GMT
Reason for closing:  Duplicate
Additional comments about closing:  FS#42120
Comment by Doug Newgard (Scimmia) - Friday, 12 August 2016, 12:55 GMT
Doesn't seem like a very good reason to use suid. That's like giving the mailman a key to your house because he needs to deliver a letter.
Comment by Samantha McVey (samcv) - Friday, 12 August 2016, 13:30 GMT
Ok I checked and there is no need to setuid if we use pam_tally2 instead of pam_tally.

The applicable configuration file is in /etc/pam.d/system-login

It seems some other distributions have changed from pam_tally to pam_tally2. The man page for pam_tally says it's depreciated so maybe it would be better to use pam_tally2 rather than setuid.
Comment by Doug Newgard (Scimmia) - Friday, 12 August 2016, 13:47 GMT
Interesting. This would them be covered by FS#42120
Comment by Antonio Rojas (arojas) - Friday, 12 August 2016, 14:00 GMT
Thanks, marking as duplicate

Loading...