https://bugs.kde.org/show_bug.cgi?id=518755
[email protected] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REPORTED |RESOLVED Resolution|--- |NOT A BUG --- Comment #8 from [email protected] --- Ended up poking around on this system some more and fixed it for myself Root Cause: A hardening step removed required SUID permissions from PAM/authentication helper binaries, specifically: /usr/bin/unix_chkpwd /usr/bin/su This broke PAM password verification used by KDE screen locking and su. Observed incorrect permissions: -rwxr-xr-x /usr/bin/unix_chkpwd -rwxr-xr-x /usr/bin/su Expected permissions: -rwsr-xr-x Additional complication: The running system environment would not allow restoring SUID bits in-place (chmod 4755 returned Operation not permitted), so repair had to be performed offline from an Arch ISO/chroot environment. Resolution: Booted Arch ISO Mounted BTRFS root subvolume Entered system with arch-chroot Reinstalled affected packages: pam shadow sudo util-linux Restored correct SUID permissions: chmod 4755 /usr/bin/unix_chkpwd chmod 4755 /usr/bin/su Verified integrity with: pacman -Qkk pam shadow sudo Rebooted system Result: KDE unlock/login functioning normally su - functioning normally PAM authentication restored Lessons Learned: Avoid blanket SUID/SGID stripping on desktop Linux systems. PAM and desktop authentication rely on several privileged helper binaries. -- You are receiving this mail because: You are watching all bug changes.
