Re: pkg/46271: x11/xlockmore built w/pam fails all authentication attempts, won't unlock screen

["John D. Baker" <jdbaker%mylinuxisp.com@localhost>]

On Fri, 30 Mar 2012, Matthias Drochner wrote:

> Can you try again without pwauth_suid? Without the "bad-pam" option
> just added, the program will give up the privileges gained by
> the suid bit before the actual authentication. This works for
> some PAM implemtations, but not for NetBSD's (unless pwauth_suid
> is used).

I've rebuilt w/o pwauth_suid on a -current/amd64 system and it does
unlock.

Initially, I neglected to re-comment the reference to pam_pwauth_suid.so
in the pam.d/xlock file so upon unlocking, the following messages were
displayed:

  Access control list restored.
  xlock: caught signal 10 while running <modename> mode (uid <UID>)

When I re-commented the pam_pwauth_suid.so reference it unlocks without
any complaint.

As I was writing the above, my 6.0_BETA/i386 system finished installing
xlockmore.  With the "pam_pwauth_suid.so" library nonexistent, but
with it's line still in the pam.d/xlock file, authentication fails
(as I think it should).  With the line commented out, authentication
succeeds.

That it succeeds anyway on amd64 may be an issue for investigation.


Prior to this, while using the pam_pwauth_suid.so, I did turn off xlock's
suid bit and it unlocked OK.  I think I like this option.

Maybe provide another option "pam-pwauth-suid"?  This option would
imply pam, omit "--bad-pam" configure arg, and pull in
security/pam-pwauth_suid as a dependency?  (can modes be selectively
enabled/disabled?  install xlock as non-suid with pam-pwauth-suid?)

--
|/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
|\ / jdbaker[snail]mylinuxisp[flyspeck]com    OpenBSD            FreeBSD
| X  No HTML/proprietary data in email.   BSD just sits there and works!
|/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645