bug#57071: Xscreensaver not working since latest patch

[Tory S. Anderson]

I hit the same error. I began with the error and the fix from 
https://issues.guix.gnu.org/23286 and then put xscreensaver into my screenlock 
section of my config:

--8<---cut here---start->8---
(list (service gnome-desktop-service-type)
   ;(screen-locker-service xscreensaver) ;; this initializes, but 
shouts a "do not run as root" error instead of running my images, and doesn't 
accept my password
   ;;; other stuff
   )
--8<---cut here---end--->8---

Now I have 'xscreensaver: don't login as root' on my screensaver, and no 
images. As mentioned earlier, only the xscreensaver-auth program should be 
setuid, not the whole thing, apparently.

bug#57071: Xscreensaver not working since latest patch

[Ludovic Courtès]

Heya,

Ludovic Courtès  skribis:

> Rick Huijzer  skribis:
>
>> It seems that xscreensaver-auth needs to be setuid instead of the main
>> xscreensaver binary. The screen-locker-service in xorg.scm sets the
>> provided package setuid and sets the required pam configuration for the
>> provided package. The problem is that the pam configuration needs to be set
>> for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for
>> xscreensaver-auth.
>>
>> Interestingly when I setuid xscreensaver-auth manually I run into the
>> following when unlocking:
>> Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown
>> Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user
>> (rhuijzer)
>> Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth):
>> authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=
>>  user=rhuijzer
>>
>> But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path
>> to unix_chkpwd helper .
>>
>> I don't know how to fix this elegantly, maybe create a dedicated service
>> for xscreensaver instead of the standard screen-locker-service?
>
> Yes, either that or a special case in ‘screen-locker-service’.

With the attached patch I can make ‘xscreensaver-auth’ setuid-root
(which is optional: it’s needed to tweak OOM behavior) while keeping the
‘xscreensaver’ PAM entry that’s needed.

However, authentication’s still failing due to ‘unix_chkpwd’ not working
on current ‘master’ where  is
missing.

Ideas on how to work around that?  It’s not clear to me how
‘unix_chkpwd’ ends up being invoked in the first place…

Thanks,
Ludo’.

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 7be995a438..72698aa28a 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -1655,8 +1655,16 @@ (define-public xscreensaver
(lambda _
  (substitute* '("driver/Makefile.in" "po/Makefile.in.in")
(("@GTK_DATADIR@") "@datadir@")
-   (("@PO_DATADIR@") "@datadir@"))
- #t)))
+   (("@PO_DATADIR@") "@datadir@"
+ (add-before 'configure 'adjust-default-path
+   (lambda _
+ ;; On Guix System, give higher precedence to the setuid-root
+ ;; 'xscreensaver-auth' program compared to the one that lives in
+ ;; $libexecdir.  This modifies code in the 'hack_environment'
+ ;; function, which changes $PATH.
+ (substitute* "driver/xscreensaver.c"
+   (("= DEFAULT_PATH_PREFIX")
+"= \"/run/setuid-programs:\" DEFAULT_PATH_PREFIX")
#:configure-flags '("--with-pam"
 
;; Don't check /proc/interrupts in the build
@@ -1704,7 +1712,11 @@ (define-public xscreensaver
 (license (license:non-copyleft
   (string-append
"http://metadata.ftp-master.debian.org/changelogs/;
-   "/main/x/xscreensaver/xscreensaver_5.36-1_copyright")
+   "/main/x/xscreensaver/xscreensaver_5.36-1_copyright")))
+(properties
+ ;; Tell 'screen-locker-service' which program should be setuid-root.
+ '((screen-locker-setuid-program
+. "libexec/xscreensaver/xscreensaver-auth")
 
 (define-public xssproxy
   (package
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 0cbd9aa53b..8f99c0f023 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2017 Andy Wingo 
-;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès 
+;;; Copyright © 2013-2017, 2019-2020, 2022 Ludovic Courtès 
 ;;; Copyright © 2015 Sou Bunnbu 
 ;;; Copyright © 2018, 2019 Timothy Sample 
 ;;; Copyright © 2019 Jan (janneke) Nieuwenhuizen 
@@ -680,12 +680,26 @@ (define slim-service-type
 ;;;
 
 (define-record-type 
-  (screen-locker name program empty?)
+  (screen-locker name package empty?)
   screen-locker?
   (namescreen-locker-name) ;string
-  (program screen-locker-program)  ;gexp
+  (package screen-locker-package)  ;file-like
   (empty?  screen-locker-allows-empty-passwords?)) ;Boolean
 
+(define (screen-locker-setuid-program-name locker)
+  "Return the name of the setuid program of LOCKER.  It's usually LOCKER's
+name but it might differ in some cases--e.g., 'xscreensaver-auth' for
+XScreenSaver."
+  (let ((package (screen-locker-package locker)))
+(or (and (package? package)
+ (assoc-ref (package-properties package)
+'screen-locker-setuid-program))
+(string-append "bin/" (screen-locker-name locker)
+
+(define (screen-locker-setuid-program locker)
+  (file-append (screen-locker-package locker) "/"
+   (screen-locker-setuid-program-name locker)))
+
 (define screen-locker-pam-services
  

bug#57071: Xscreensaver not working since latest patch

[Ludovic Courtès]

Hi Rick & Roman,

Rick Huijzer  skribis:

> It seems that xscreensaver-auth needs to be setuid instead of the main
> xscreensaver binary. The screen-locker-service in xorg.scm sets the
> provided package setuid and sets the required pam configuration for the
> provided package. The problem is that the pam configuration needs to be set
> for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for
> xscreensaver-auth.
>
> Interestingly when I setuid xscreensaver-auth manually I run into the
> following when unlocking:
> Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown
> Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user
> (rhuijzer)
> Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth):
> authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=
>  user=rhuijzer
>
> But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path
> to unix_chkpwd helper .
>
> I don't know how to fix this elegantly, maybe create a dedicated service
> for xscreensaver instead of the standard screen-locker-service?

Yes, either that or a special case in ‘screen-locker-service’.

Could you give it a try?

Unfortunately I’m going to be away from keyboard for a bit; please do
ping here and/or on IRC if you don’t get a timely reply.

Thanks,
Ludo’.

bug#57071: Xscreensaver not working since latest patch

[Rick Huijzer]

Hi Roman and Ludo,

It seems that xscreensaver-auth needs to be setuid instead of the main
xscreensaver binary. The screen-locker-service in xorg.scm sets the
provided package setuid and sets the required pam configuration for the
provided package. The problem is that the pam configuration needs to be set
for xscreensaver (/etc/pam.d/xscreensaver) and setuid needs to be set for
xscreensaver-auth.

Interestingly when I setuid xscreensaver-auth manually I run into the
following when unlocking:
Aug 10 13:35:02 localhost unix_chkpwd[2197]: check pass; user unknown
Aug 10 13:35:02 localhost unix_chkpwd[2197]: password check failed for user
(rhuijzer)
Aug 10 13:35:02 localhost xscreensaver-auth: pam_unix(xscreensaver:auth):
authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=
 user=rhuijzer

But this might be fixed in time by [RFC PATCH] gnu: linux-pam: Change path
to unix_chkpwd helper .

I don't know how to fix this elegantly, maybe create a dedicated service
for xscreensaver instead of the standard screen-locker-service?

Thanks,

Op wo 10 aug. 2022 om 09:14 schreef Roman Scherer <
roman.sche...@burningswell.com>:

>
> Hi Ludo and Rick,
>
> sorry for the trouble. I'm running xscreensaver on a foreign distro and
> did not notice this. Probably because somehow my screen wasn't locked,
> but still showing random screensavers.
>
> However, now that I tried the `xscreensaver-command -lock` command I see
> a dialog with a "Password initialization failed" message.
>
> The xscreensave logs also show this:
>
> xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission
> denied
> xscreensaver-auth: 06:45:55:   To prevent the kernel from randomly
> unlocking
> xscreensaver-auth: 06:45:55:   your screen via the out-of-memory killer,
> xscreensaver-auth: 06:45:55:   "xscreensaver-auth" must be setuid root.
> xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does
> not exist.
> xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to
> work.
> xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does
> not exist.
> xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to
> work.
>
> When the dialog popped up, I had to switch to a terminal and kill
> xscreensaver to be able to access my desktop again.
>
> Should we revert it, until we figured out what's necesarry to get this
> working again?
>
> r0man
>
> Ludovic Courtès  writes:
>
> > Hi Rick,
> >
> > Rick Huijzer  skribis:
> >
> >> The latest xscreensaver patch 
> rendered
> >> xscreensaver unusable on my systems. When I try to unlock my screen I am
> >> greeted with the message 'xscreensaver: don't login as root', even
> though I
> >> don't invoke it as root.
> >>
> >>
> >> $xscreensaver-command -lock
> >> Aug  9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx:
> 08:45:22:
> >> 1: running as root: not launching hacks.
> >> Aug  9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command:
> locking
> >> Aug  9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx:
> 09:10:32:
> >> 0: running as root: not launching hacks.
> >>
> >> When I remove the
> >> (screen-locker-service xscreensaver)
> >> I run into all kinds of set-uid problems.
> >
> > Sorry about that, I built it during review but did not actually run it.
> >
> > One effect of ‘screen-locker-service’ is to make the program setuid-root
> > so that it can authenticate users.  It would seem that something changed
> > in xscreensaver in that area; quoth ‘driver/subprocs.c’:
> >
> >   if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
> > /* Prior to XScreenSaver 6, if running as root, we would change
> the
> >effective uid to the user "nobody" or "daemon" or "noaccess",
> >but even that was just encouraging bad behavior.  Don't log in
> >as root. */
> > {
> >   fprintf (stderr, "%s: %d: running as root: not launching
> hacks.\n",
> >blurb(), ssi->number);
> >   screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as
> root.");
> >   goto DONE;
> > }
> >
> > OTOH the ‘disavow_privileges’ function is supposed to drop root
> > privileges early on.
> >
> > So I’m not sure how it’s supposed to be run.  R0man, ideas?
> >
> > Thanks,
> > Ludo’.
>


-- 
Met vriendelijke groet,

Rick Huijzer

bug#57071: Xscreensaver not working since latest patch

[Roman Scherer]

Hi Ludo and Rick,

sorry for the trouble. I'm running xscreensaver on a foreign distro and
did not notice this. Probably because somehow my screen wasn't locked,
but still showing random screensavers.

However, now that I tried the `xscreensaver-command -lock` command I see
a dialog with a "Password initialization failed" message.

The xscreensave logs also show this:

xscreensaver-auth: 06:45:55: OOM: /proc/99677/oom_score_adj: Permission denied
xscreensaver-auth: 06:45:55:   To prevent the kernel from randomly unlocking
xscreensaver-auth: 06:45:55:   your screen via the out-of-memory killer,
xscreensaver-auth: 06:45:55:   "xscreensaver-auth" must be setuid root.
xscreensaver-auth: 06:46:06: PAM: warning: /etc/pam.d/xscreensaver does not 
exist.
xscreensaver-auth: 06:46:06: PAM: password authentication is unlikely to work.
xscreensaver-auth: 06:46:15: PAM: warning: /etc/pam.d/xscreensaver does not 
exist.
xscreensaver-auth: 06:46:15: PAM: password authentication is unlikely to work.

When the dialog popped up, I had to switch to a terminal and kill
xscreensaver to be able to access my desktop again.

Should we revert it, until we figured out what's necesarry to get this
working again?

r0man

Ludovic Courtès  writes:

> Hi Rick,
>
> Rick Huijzer  skribis:
>
>> The latest xscreensaver patch  rendered
>> xscreensaver unusable on my systems. When I try to unlock my screen I am
>> greeted with the message 'xscreensaver: don't login as root', even though I
>> don't invoke it as root.
>>
>>
>> $xscreensaver-command -lock
>> Aug  9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22:
>> 1: running as root: not launching hacks.
>> Aug  9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking
>> Aug  9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32:
>> 0: running as root: not launching hacks.
>>
>> When I remove the
>> (screen-locker-service xscreensaver)
>> I run into all kinds of set-uid problems.
>
> Sorry about that, I built it during review but did not actually run it.
>
> One effect of ‘screen-locker-service’ is to make the program setuid-root
> so that it can authenticate users.  It would seem that something changed
> in xscreensaver in that area; quoth ‘driver/subprocs.c’:
>
>   if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
> /* Prior to XScreenSaver 6, if running as root, we would change the
>effective uid to the user "nobody" or "daemon" or "noaccess",
>but even that was just encouraging bad behavior.  Don't log in
>as root. */
> {
>   fprintf (stderr, "%s: %d: running as root: not launching hacks.\n",
>blurb(), ssi->number);
>   screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as 
> root.");
>   goto DONE;
> }
>
> OTOH the ‘disavow_privileges’ function is supposed to drop root
> privileges early on.
>
> So I’m not sure how it’s supposed to be run.  R0man, ideas?
>
> Thanks,
> Ludo’.


signature.asc
Description: PGP signature

bug#57071: Xscreensaver not working since latest patch

[Rick Huijzer]

Hi,

The latest xscreensaver patch  rendered
xscreensaver unusable on my systems. When I try to unlock my screen I am
greeted with the message 'xscreensaver: don't login as root', even though I
don't invoke it as root.


$xscreensaver-command -lock
Aug  9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22:
1: running as root: not launching hacks.
Aug  9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking
Aug  9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32:
0: running as root: not launching hacks.

When I remove the
(screen-locker-service xscreensaver)
I run into all kinds of set-uid problems.

I will happily provide more information if needed.

-- 
Met vriendelijke groet,

Rick Huijzer

bug#57071: Xscreensaver not working since latest patch

[Ludovic Courtès]

Hi Rick,

Rick Huijzer  skribis:

> The latest xscreensaver patch  rendered
> xscreensaver unusable on my systems. When I try to unlock my screen I am
> greeted with the message 'xscreensaver: don't login as root', even though I
> don't invoke it as root.
>
>
> $xscreensaver-command -lock
> Aug  9 08:45:22 localhost shepherd[1]: [slim] xscreensaver-gfx: 08:45:22:
> 1: running as root: not launching hacks.
> Aug  9 09:10:29 localhost shepherd[1]: [slim] xscreensaver-command: locking
> Aug  9 09:10:32 localhost shepherd[1]: [slim] xscreensaver-gfx: 09:10:32:
> 0: running as root: not launching hacks.
>
> When I remove the
> (screen-locker-service xscreensaver)
> I run into all kinds of set-uid problems.

Sorry about that, I built it during review but did not actually run it.

One effect of ‘screen-locker-service’ is to make the program setuid-root
so that it can authenticate users.  It would seem that something changed
in xscreensaver in that area; quoth ‘driver/subprocs.c’:

--8<---cut here---start->8---
  if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
/* Prior to XScreenSaver 6, if running as root, we would change the
   effective uid to the user "nobody" or "daemon" or "noaccess",
   but even that was just encouraging bad behavior.  Don't log in
   as root. */
{
  fprintf (stderr, "%s: %d: running as root: not launching hacks.\n",
   blurb(), ssi->number);
  screenhack_obituary (ssi, "", "XScreenSaver: Don't log in as root.");
  goto DONE;
}
--8<---cut here---end--->8---

OTOH the ‘disavow_privileges’ function is supposed to drop root
privileges early on.

So I’m not sure how it’s supposed to be run.  R0man, ideas?

Thanks,
Ludo’.