Package: xscreensaver Version: 6.06+dfsg1-2 Severity: important Dear Maintainer,
TL;DR - If xscreensaver pam authentication is to work it will need to cause adjustment to libpam-cap related configuration files. After upgrading my Debian desktop to bookworm I found that any attempt to unlock xscreensaver acted as if I had failed to type the password correctly. It should be noted that this is an old Debian install that has been through many different stable versions without a reinstall. Running xscreensaver with `-verbose` and temporarily increasing some PAM auth logging pointed to `unix_chkpwd` being where the failure occurred, but I couldn't easily delve any deeper there due to even root not being able to `strace` an `xscreensaver-auth` process. To help diagnoise this I performed a clean bookworm install on a separate drive and re-tested it there. It worked! So, I started looking at differences between the two installs. I used `fvwm` on both, and aligned the `~/.xscreensaver` configurations. Then I checked `/etc/pam.d/`, saw I had `pam_cap.so` configured on the old install and tried commenting that out of `/etc/pam.d/common-auth`. But re-testing didn't cause xscreensaver auth to work. It turns out at least a full restart was necessary, if not a reboot. This was discovered when `/etc/security/capability.conf` also came to light, with its default `none *` line active. So, performed an `apt purge libpam-cap`, and rebooted before a re-test, and then xscreensaver unlocking worked! The version of libpam-cap that gets installed is: ii libpam-cap:amd64 1:2.66-3 -- System Information: Debian Release: 12.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-6-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages xscreensaver depends on: ii init-system-helpers 1.65.2 ii libatk1.0-0 2.46.0-5 ii libc6 2.36-8 ii libcrypt1 1:4.4.33-2 ii libglib2.0-0 2.74.6-1 ii libgtk-3-0 3.24.37-2 ii libpam0g 1.5.2-6 ii libsystemd0 252.6-1 ii libx11-6 2:1.8.4-2 ii libxext6 2:1.3.4-1+b1 ii libxft2 2.3.6-1 ii libxi6 2:1.8-1+b1 ii libxinerama1 2:1.1.4-3 ii libxml2 2.9.14+dfsg-1.1+b3 ii libxrandr2 2:1.5.2-2+b1 ii libxt6 1:1.2.1-1 ii libxxf86vm1 1:1.1.4-1+b2 ii xscreensaver-data 6.06+dfsg1-2 Versions of packages xscreensaver recommends: ii fonts-urw-base35 20200910-7 ii libjpeg-turbo-progs 1:2.1.5-2 ii perl 5.36.0-7 ii wamerican [wordlist] 2020.12.07-2 ii wbritish [wordlist] 2020.12.07-2 ii xfonts-100dpi 1:1.0.5 Versions of packages xscreensaver suggests: ii chromium [www-browser] 111.0.5563.64-1 ii fortune-mod [fortune] 1:1.99.1-7.3 pn gdm3 | kdm-gdmcompat <none> ii google-chrome-stable [www-browser] 111.0.5563.110-1 ii links [www-browser] 2.28-1+b2 ii lynx [www-browser] 2.9.0dev.12-1 pn qcam | streamer <none> ii w3m [www-browser] 0.5.3+git20230121-2 ii xdaliclock 2.46-1 pn xfishtank <none> ii xscreensaver-data-extra 6.06+dfsg1-2 ii xscreensaver-gl 6.06+dfsg1-2 ii xscreensaver-gl-extra 6.06+dfsg1-2 -- no debconf information -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME