pam_setcred in slock not working

[cruegge]

Looks like I spoke a little too early...

I'm trying to use slock with the pam-auth patch . The patch itself doesnt call pam_setcred, so naturally as with any suckless tool, I'm trying to implement it myself. Judging from the physlock and xsecurelock PRs, it looks like it should be a simple addition. So, I thought this would work:

			switch (ksym) {
			case XK_Return:
				passwd[len] = '\0';
				errno = 0;
				#if PAMAUTH_PATCH
				retval = pam_start(pam_service, hash, &pamc, &pamh);
				color = PAM;
				for (screen = 0; screen < nscreens; screen++) {
					XSetWindowBackground(dpy, locks[screen]->win, locks[screen]->colors[color]);
					XClearWindow(dpy, locks[screen]->win);
					XRaiseWindow(dpy, locks[screen]->win);
				}
				XSync(dpy, False);

				if (retval == PAM_SUCCESS)
					retval = pam_authenticate(pamh, 0);
				if (retval == PAM_SUCCESS)
					retval = pam_acct_mgmt(pamh, 0);

				running = 1;
				if (retval == PAM_SUCCESS) {
					pam_setcred(pamh, PAM_REFRESH_CRED);
					running = 0;
				}
				else
					fprintf(stderr, "slock: %s\n", pam_strerror(pamh, retval));
				pam_end(pamh, retval);

But it doesn't seem to be the case. Is there something else that needs to be called before pam_setcred?

Originally posted by @Barbarossa93 in #7 (comment)

[cruegge]

That should work, it's the exact same sequence of calls that xsecurelock is using, apart from not calling pam_chauthtok if pam_acct_mgmt fails, which is optional anyway. Since slock does unlock (I assume), it should definitely have called pam_setcred. Can you comment out the call to pam_acct_mgmt, just to exclude that as the cause? That's the way i3lock does it. Also, try adding the debug option to the pam_gnupg.so lines in the pam config and check if anything turns up in journalctl.

I don't have my notebook available currently on which I use pam-gnupg myself, so I can't test it directly, unfortunately.

[Barbaross93]

Commenting out the lines

                           if (retval == PAM_SUCCESS)
					retval = pam_acct_mgmt(pamh, 0);

Didn't change anything. Enabling the debug option I see

Jun 08 16:42:07 Forester slock[32913]: pam_gnupg(system-auth:auth): stored passphrase
Jun 08 16:42:07 Forester slock[32913]: pam_gnupg(system-auth:setcred): helper terminated with exit code 1
Jun 08 16:42:07 Forester slock[32913]: pam_gnupg(system-auth:setcred): presetting failed, retaining passphrase
Jun 08 16:42:17 Forester kernel: audit: type=1105 audit(1623184937.075:575): pid=33059 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/13 res=success'
Jun 08 16:42:17 Forester audit[33059]: USER_START pid=33059 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/13 res=success'
Jun 08 16:42:17 Forester sudo[33059]: pam_gnupg(sudo:session): unable to obtain stored passphrase
Jun 08 16:43:19 Forester audit[33059]: USER_END pid=33059 uid=1000 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/13 res=success'
Jun 08 16:43:19 Forester kernel: audit: type=1106 audit(1623184999.218:590): pid=33059 uid=1000 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/13 res=success'
Jun 08 16:43:33 Forester audit[33572]: USER_START pid=33572 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/13 res=success'
Jun 08 16:43:33 Forester sudo[33572]: pam_gnupg(sudo:session): unable to obtain stored passphrase
Jun 08 16:43:33 Forester kernel: audit: type=1105 audit(1623185013.308:594): pid=33572 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/13 res=success'
Jun 08 16:44:00 Forester kernel: audit: type=1106 audit(1623185040.481:595): pid=33572 uid=1000 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/13 res=success'
Jun 08 16:44:00 Forester audit[33572]: USER_END pid=33572 uid=1000 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/13 res=success'
Jun 08 16:45:41 Forester audit[34774]: USER_START pid=34774 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/15 res=success'
Jun 08 16:45:41 Forester sudo[34774]: pam_gnupg(sudo:session): unable to obtain stored passphrase
Jun 08 16:45:41 Forester kernel: audit: type=1105 audit(1623185141.761:635): pid=34774 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit,pam_gnupg acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/15 res=succes

It seems like the credentials aren't being stored somewhere by slock?

[cruegge]

Ah, slock installs itself as setuid root to be able to read /etc/shadow (precisely because it doesn't use PAM), and then drops privileges to user ‘nobody’. pam-gnupg, on the other hand, tries to become the authenticated user, in order to read the config file ~/.pam-gnupg, and aborts if that fails, which it will since ‘nobody’ is not allowed to become you.

The easiest workaround is probably to hardcode your real user as the drop user in config.h.

Otherwise, you can rip out all of the setuid functionality, which is not really needed with PAM (with one exception, see below):

• Turn gethash into:

  static const char *
  gethash(void)
  {
      struct passwd *pw;
  
      /* Check if the current user has a password entry */
      errno = 0;
      if (!(pw = getpwuid(getuid()))) {
    	  if (errno)
    		  die("slock: getpwuid: %s\n", strerror(errno));
    	  else
    		  die("slock: cannot retrieve password entry\n");
      }
      return pw->pw_name;
  }
  

• Remove the /* validate drop-user and -group */ and /* drop privileges */ blocks in main.

• You may need to remove the call to dontkillme (and the then unused function itself). This one's actually useful even with PAM, since it adjusts the OOM score in order to prevent the kernel from killing slock when the machine runs out of memory. But I'm not sure it works without root, so you'll have to test. slock will write a message to stderr if it fails due to that.

• Remove the chmod u+s line in Makefile.

• There will be unused variables after this, so you'll probably get compiler warnings. The HAVE_SHADOW_H will also be obsolete. You can of course remove the leftovers if you want to.

Note that I didn't test this, you'll have to see what happens.

[Barbaross93]

I do have my username as the drop user, although the thing I'm not comfortable is what should be the drop group? I currently have it set to "users"

[cruegge]

It should be your primary group, the one displayed by id -gn.

[Barbaross93]

Welp, that was it! I had the wrong group set. It now works! Thank you so much for all of your help!!