-
Notifications
You must be signed in to change notification settings - Fork 12
-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pam_setcred in slock not working #34
Comments
That should work, it's the exact same sequence of calls that xsecurelock is using, apart from not calling pam_chauthtok if pam_acct_mgmt fails, which is optional anyway. Since slock does unlock (I assume), it should definitely have called pam_setcred. Can you comment out the call to pam_acct_mgmt, just to exclude that as the cause? That's the way i3lock does it. Also, try adding the I don't have my notebook available currently on which I use pam-gnupg myself, so I can't test it directly, unfortunately. |
Commenting out the lines
Didn't change anything. Enabling the debug option I see
It seems like the credentials aren't being stored somewhere by slock? |
Ah, slock installs itself as setuid root to be able to read /etc/shadow (precisely because it doesn't use PAM), and then drops privileges to user ‘nobody’. pam-gnupg, on the other hand, tries to become the authenticated user, in order to read the config file ~/.pam-gnupg, and aborts if that fails, which it will since ‘nobody’ is not allowed to become you. The easiest workaround is probably to hardcode your real user as the drop user in Otherwise, you can rip out all of the setuid functionality, which is not really needed with PAM (with one exception, see below):
Note that I didn't test this, you'll have to see what happens. |
I do have my username as the drop user, although the thing I'm not comfortable is what should be the drop group? I currently have it set to "users" |
It should be your primary group, the one displayed by |
Welp, that was it! I had the wrong group set. It now works! Thank you so much for all of your help!! |
Looks like I spoke a little too early...
I'm trying to use slock with the pam-auth patch . The patch itself doesnt call pam_setcred, so naturally as with any suckless tool, I'm trying to implement it myself. Judging from the physlock and xsecurelock PRs, it looks like it should be a simple addition. So, I thought this would work:
But it doesn't seem to be the case. Is there something else that needs to be called before
pam_setcred
?Originally posted by @Barbarossa93 in #7 (comment)
The text was updated successfully, but these errors were encountered: