FS#56297 - [kscreenlocker] PLEASE ENTER SUMMARY

Attached to Project: Arch Linux
Opened by cfr (cfr42) - Saturday, 11 November 2017, 02:58 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 11 November 2017, 08:29 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture x86_64
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

kcheckpass wants access to /var/log/faillog to record failed access attempts, but it cannot open this file as it is 600. journalctl contains repeated lines with errors similar to the following.

kcheckpass[6503]: pam_tally(kde:auth): Error opening /var/log/faillog for update
kcheckpass[6503]: pam_tally(kde:auth): Error opening /var/log/faillog for read
kcheckpass[6503]: pam_tally(kde:setcred): Error opening /var/log/faillog for update
kcheckpass[6503]: pam_tally(kde:setcred): Error opening /var/log/faillog for update

A solution suggested by an internet search is to set /usr/lib/kcheckpass setuid. https://unix.stackexchange.com/a/302960/219455 I can't find the manual page mentioned in the question https://unix.stackexchange.com/q/302381/219455, so I'm not sure if the executable is supposed to be setuid or not. But I guess that one way or another it should either have access or not be trying to gain access.

An related bug report from 2012/3 was closed as fixed for a similar issue, but I couldn't find any details of which fix was implemented, although the discussion does include a list of possible fixes. It isn't clear whether any of them would be relevant to current systems, but the bug is https://bugs.archlinux.org/task/31544.


Additional info:
* package version(s)

kscreenlocker 5.11.3-1
sddm 0.16.0-1
pambase 20171006-1 (which owns /etc/pam.d/system-login which invokes the need for writing to /var/log/faillog, if I've understood correctly)

* config and/or log files etc.

/etc/pam.d/system-login:

#%PAM-1.0

auth required pam_tally.so onerr=succeed file=/var/log/faillog
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth

account required pam_access.so
account required pam_nologin.so
account include system-auth

password include system-auth

session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
#session optional pam_motd.so motd=/etc/motd
#session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so

Although this is customised, the use of faillog is also in the packaged version:

#%PAM-1.0

auth required pam_tally.so onerr=succeed file=/var/log/faillog
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth

account required pam_access.so
account required pam_nologin.so
account include system-auth

password include system-auth

session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so

I just don't have a mail server and can do without messages of the day ....

Steps to reproduce:

Install required packages, invoke screen locker in some way, log back in and examine the journal.
This task depends upon

Closed by  Antonio Rojas (arojas)
Saturday, 11 November 2017, 08:29 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#50369 
Comment by cfr (cfr42) - Saturday, 11 November 2017, 03:03 GMT
There is something very odd going on for me with the bug tracker tonight. Apologies for not having a box to change 'PLEASE ENTER SUMMARY' to something more meaningful. (I also had to try three or four ways of invoking the possibility of reporting a bug at all before I actually got that option to appear.) If somebody could change the subject to something like 'kcheckpass wants access to faillog', it would be greatly appreciated.

Loading...