Control: reassign -1 libkscreenlocker5 Hello,
On Sat, Nov 24, 2018 at 04:48:31PM +0100, hg42 wrote: > I ran into that quite a while ago, but wasn't using a screen locker or KDE > since, so I forgot about it. Now, with KDE and mostly hibernating my system, > it came back. > unix_chkpwd is installed SGID (2755) in all currently available > libpam-modules-bin versions: > 1.1.8-3.2ubuntu2 > 1.1.8-3.2ubuntu2.1 > 1.1.8-3.2ubuntu3 > 1.1.8-3.2ubuntu3.1 > 1.1.8-3.6 > 1.1.8-3.6ubuntu2 > 1.1.8-3.8 > With these permissions correct passwords fail in newer KDE screen locker > versions. I tested libkscreenlocker5 versions: > 5.13.5-1 > 5.8.6-2 > 5.12.6-0ubuntu0.1 > 5.12.4-0ubuntu1 > for a recent occurance of the issue see here: > https://www.reddit.com/r/kde/comments/8w7uqq/screen_wont_unlock/e1wbilp/?context=8&depth=9 That is not a bug in the Debian PAM package. That shows a user whose unix_chkpwd binary has completely wrong permissions which do not match what we ship. > I found a discussion about SUID vs. SGID for unix_chkpwd here: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=155583 > Note, I am not an expert in security related things, but the reasoning in > the discussion doesn't look logical, so I'll try to explain my view as a > user. > There probably was a reason why it was SUID before. Obviously nobody is > talking about that decision. > The discussion about switching to SGID seems to be about explicit packages > that fail and solutions for them. > But as I understand this, it doesn't say, there cannot be or can never be > other packages that need unix_chkpwd to be SUID. May be, this is totally > obvious to you and it doesn't need to be discussed. But at least the KDE > screen locker is an example. > Also, bashing NIS doesn't help, especially if there could be other software. There is nothing about a KDE screenlocker that requires unix_chkpwd to be setuid root instead of setgid shadow. The helper only needs to have permission to read /etc/shadow, which is by default readable by group shadow. If this is not working for you, then it's not because shipping unix_chkpwd as setgid shadow is wrong. Equating NIS with a screenlocker is erroneous. NIS is an authentication backend technology with an archaic security design and specific client requirements. A screenlocker is only a consumer of PAM. > So, one question is, why is SGID better than SUID? The principle of least privilege. > is it worth breaking packages if you don't know, why SUID was part of the > design? Just because you do not know does not mean that we do not. Moreover, the PAM package has been shipped this way in Debian for over a decade. Thousands or millions of users have successfully used KDE's screen locker with PAM in this configuration. You are the only user reporting such a problem. Clearly, something is misconfigured on your system compared to that of all the other users. > The other question is, why does another package need unix_chkpwd SUID? is > it insecure or otherwise bad code in some way? > That said, the problem could also be in the code of the screen locker. It could; so let's reassign this bug to the KDE package, whose maintainers may have more insight into specific configurations that may cause this screenlocker to fail. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ [email protected] [email protected]
signature.asc
Description: PGP signature

