FS#74196 - [kscreenlocker] Cannot unlock session

Attached to Project: Arch Linux
Opened by Outvi V (outloudvi) - Tuesday, 22 March 2022, 13:47 GMT
Last edited by David Thurstenson (thurstylark) - Friday, 25 March 2022, 23:58 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Cannot unlock from kscreenlocker unless /usr/lib/kcheckpass is SUID-ed or /etc/shadow is readable by all (e.g. 644).

It started to happen since I "fixed" the permission of /etc/shadow (it seems that it should be 600 on a clear Arch Linux).

Troubleshooting:
1. Tried sudo. sudo worked as normal.
2. Tried to reboot and login. Login worked while kscreenlocker did not.
3. Tried to bypass PAM by editing /etc/pam.d/system-auth, the bypass succeeded.
4. Tried to re-build kcheckpass and print the password I inputed. I printed the buf from [1], and it was exactly my password.

Additional info:
* package version(s)
* kscreenlocker 5.24.3-1
* pam 1.5.2-1
* pambase 20211210-1

Steps to reproduce:
1. Confirm that /etc/shadow is at 600 and /usr/lib/kcheckpass is 755 (without SUID)
2. Lock the screen with kscreenlocker
3. Try to unlock the screen

Notes:
1. https://github.com/KDE/kscreenlocker/blob/9d3a95f5f760de2e25e411ee7c1df8f9cf41f5db/kcheckpass/kcheckpass.c#L161
This task depends upon

Closed by  David Thurstenson (thurstylark)
Friday, 25 March 2022, 23:58 GMT
Reason for closing:  Not a bug
Additional comments about closing:  Support request. Redirected to proper channels.
Comment by Antonio Rojas (arojas) - Tuesday, 22 March 2022, 15:56 GMT
logs?
Comment by Outvi V (outloudvi) - Tuesday, 22 March 2022, 16:16 GMT
The logs when trying to unlock is as below (also reproduced on my machine with "/usr/lib/kscreenlocker_greet --testing"):

```
kcheckpass[79339]: pam_systemd_home(kde:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
kcheckpass[79339]: pam_unix(kde:auth): username [USERNAME] obtained
kcheckpass[79339]: pam_unix(kde:auth): authentication failure; logname=USERNAME uid=1000 euid=1000 tty=/dev/pts/1 ruser= rhost= user=USERNAME
```
Comment by Antonio Rojas (arojas) - Tuesday, 22 March 2022, 20:19 GMT
Please check the output of 'pacman -Qkk plasma-workspace shadow pam pambase plasma-workspace' and make sure no other permissions need fixing.

This looks like a local issue more suitable for the support channels, I doubt there is anything that needs fixing in our packages.
Comment by Outvi V (outloudvi) - Wednesday, 23 March 2022, 03:09 GMT
I've checked, fixed all related permission problems and rebooted, but the problem insists.

I would also agree that it seems to be a local issue - given that there is not huge changes over klockscreen, the problem should have been reported much earlier if it's distro-wide. I believe there shall be many users using the KDE screenlocker. I would do some more researches on my side and ask on this in the support forum. Sorry for the disturbance and thank for your kind help.

Loading...