# .Xscreensaver does not accept password

## statikregimen

Hi all,

Seems this is a rare problem, but I've found some other, much older posts with similar issues.Most of the solutions didn't work/apply. This is the 3rd machine I've set up recently with Gentoo, and the other two (last I checked) are working normally with default configs/use flags. However, on this one I had to build xscreensaver without pam support which has resolved the issue for now. Is this in any way suboptimal for local security? It certainly does not seem ideal for new users who generally expect things to work out of the box.

With that, I was hoping somebody might be able to provide some insight on other things I can look at, since this is a fresh install presumably configured identically to the other machines I've done  Perhaps I overlooked something in my configs, or I've found a bug and should report? If the later, how to narrow down where the bug lies (in pam, xscreensaver, something else)?

Any guidance is appreciated!

Cheers.Last edited by statikregimen on Sat Jul 14, 2018 12:24 am; edited 3 times in total

----------

## JWJones

I've had this happen to me before, too. I was unable to resolve it (PAM was not involved, however, as I recall), so I simply gave up on xscreensaver altogether and went minimal with slock for screen locking, avoiding screensavers.

Sorry, but I don't really remember any specifics beyond that.

----------

## Hu

What does xscreensaver log when the unlock fails?  I have seen this when it is configured to use PAM and it is unable to load PAM.  I have also seen this when it is run with the no-new-privs restriction set, since it needs a privileged helper to verify the password.

----------

## statikregimen

 *Hu wrote:*   

> What does xscreensaver log when the unlock fails?  I have seen this when it is configured to use PAM and it is unable to load PAM.  I have also seen this when it is run with the no-new-privs restriction set, since it needs a privileged helper to verify the password.

 

Sorry, I forgot to include that!

I'm not sure where the xscreensaver logs are? But I get a lot of this kind of stuff in /var/log/auth.log :

```
Mar 26 17:09:05 anony-mouse xscreensaver: pam_unix(xscreensaver:auth): conversation failed

Mar 26 17:09:05 anony-mouse xscreensaver: pam_unix(xscreensaver:auth): auth could not identify password for [statik]

Mar 27 09:13:38 anony-mouse unix_chkpwd[19858]: check pass; user unknown

Mar 27 09:13:42 anony-mouse unix_chkpwd[19898]: check pass; user unknown

Mar 27 09:13:42 anony-mouse unix_chkpwd[19898]: password check failed for user (statik)

Mar 27 09:13:42 anony-mouse xscreensaver: pam_unix(xscreensaver:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost=  user=statik

Mar 27 09:13:44 anony-mouse xscreensaver[3229]: FAILED LOGIN 1 ON DISPLAY ":0", FOR "statik"

Mar 27 09:13:45 anony-mouse unix_chkpwd[19933]: check pass; user unknown

Mar 27 09:13:48 anony-mouse unix_chkpwd[19964]: check pass; user unknown

Mar 27 09:13:48 anony-mouse unix_chkpwd[19964]: password check failed for user (statik)
```

Seems I only got that "conversation failed" message once...Then after that, it's just a bunch of the others in no apparent pattern.

 *JWJones wrote:*   

> I've had this happen to me before, too. I was unable to resolve it (PAM was not involved, however, as I recall), so I simply gave up on xscreensaver altogether and went minimal with slock for screen locking, avoiding screensavers.
> 
> Sorry, but I don't really remember any specifics beyond that.

 

Not sure what you mean by "minimal with stock"? I use xscreensaver for timed locking. I'm a pretty unpredictable person, and will often times impulsively walk away from my computer, forgetting to lock it. Not much worse than coming back to it w/ a pron tab front and center and wondering who's seen it!

----------

## Hu

 *statikregimen wrote:*   

>  *JWJones wrote:*   I simply gave up on xscreensaver altogether and went minimal with slock Not sure what you mean by "minimal with stock"?

 Clean your monitor (or, if applicable, your glasses) and/or check your font.  He said slock, an alternate screen locking program, not stock.  :Smile: 

You should be able to use xscreensaver for locking.  What is the output of ls -l /sbin/unix_chkpwd?  It should be mode 4711.  Are you running xscreensaver under setpriv --nnp or equivalent?  If yes, don't.

----------

## statikregimen

 *Hu wrote:*   

>  *statikregimen wrote:*    *JWJones wrote:*   I simply gave up on xscreensaver altogether and went minimal with slock Not sure what you mean by "minimal with stock"? Clean your monitor (or, if applicable, your glasses) and/or check your font.  He said slock, an alternate screen locking program, not stock. 
> 
> You should be able to use xscreensaver for locking.  What is the output of ls -l /sbin/unix_chkpwd?  It should be mode 4711.  Are you running xscreensaver under setpriv --nnp or equivalent?  If yes, don't.

 

lmao...derp. Totally misread.

Here is the output of  the command you requested:

```
-rwx--x--x 1 root root 31184 Mar 22 15:25 /sbin/unix_chkpwd

```

I believe that to be 0711... I will not have local access to the machine until Monday. So I'll try adjusting to 4711.

I am running xscreensaver via ~/.xsession thusly:

```
xscreensaver -no-splash &
```

Also, fwiw, I'm running XDM+Qtile on all my machines, and again, only 1 of 3 has the issue so far. I was able to test my others tonight, and they continue to work fine.

----------

## JWJones

Yes, slock, not stock, which can be started after a specific period of user inactivity using xautolock. More info here:

https://tools.suckless.org/slock/

----------

## statikregimen

Thanks, JWJones - I'll definitely switch to sLock for my mobile machines where eye candy is not useful  :Very Happy: 

Also, just finished setting up another machine. It is also having the same issue. It occurred to me that my working systems have not been updated in several days (i.e. since before these 2 new installs) So I'll update those, and see if the problem appears. If so, I'd say that's a strong indicator of a bug somewhere, rather than anything I'm doing wrong (but pro-tip: it's probably me lol).

Cheers

----------

## Hu

 *statikregimen wrote:*   

> I believe that to be 0711... I will not have local access to the machine until Monday. So I'll try adjusting to 4711.

 You interpret that output correctly.  Monday has arrived.  Was fixing this sufficient?

----------

## statikregimen

 *Hu wrote:*   

>  *statikregimen wrote:*   I believe that to be 0711... I will not have local access to the machine until Monday. So I'll try adjusting to 4711. You interpret that output correctly.  Monday has arrived.  Was fixing this sufficient?

 

Sorry! Completely forgot to try this.

I've set the permissions as prescribed, and rebuilt xscreensaver w/ pam support again. Lo and behold, it worked!

So I guess now the question is, why was that file set incorrectly? I'm 99% sure I extracted the stage3 with the proper command provided in the handbook:

```
tar xpf stage3-*.tar.{bz2,xz} --xattrs-include='*.*' --numeric-owner
```

But not even really sure when that file would come into play or where it comes from...

Going to give this same thing a try on the latest machine I set up.

Thanks!

EDIT: Seems to have done the trick on the other machine as well. So problem solved on my end.

----------

## Hu

According to equery belongs, that file is owned by sys-libs/pam.  On an affected machine, what is the output of cat -n /var/db/pkg/sys-libs/pam-*/FEATURES?  What version of pam is in use?  What is the output of emerge --info?

----------

## statikregimen

 *Hu wrote:*   

> According to equery belongs, that file is owned by sys-libs/pam.  On an affected machine, what is the output of cat -n /var/db/pkg/sys-libs/pam-*/FEATURES?  What version of pam is in use?  What is the output of emerge --info?

 

```
$ cat -n /var/db/pkg/sys-libs/pam-*/FEATURES

     1  assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr
```

```

*  sys-libs/pam

      Latest version available: 1.2.1-r2

      Latest version installed: 1.2.1-r2

      Size of files: 1,729 KiB

      Homepage:      http://www.linux-pam.org/

      Description:   Linux-PAM (Pluggable Authentication Modules)

      License:       || ( BSD GPL-2 )
```

```
$ emerge --info

Portage 2.3.24 (python 3.5.4-final-0, default/linux/amd64/17.0/desktop, gcc-6.4.0, glibc-2.25-r11, 4.15.14 x86_64)

=================================================================

System uname: Linux-4.15.14-x86_64-AMD_A12-9720P_RADEON_R7,_12_COMPUTE_CORES_4C+8G-with-gentoo-2.4.1

KiB Mem:    15905536 total,   9201448 free

KiB Swap:   17459196 total,  17219324 free

Timestamp of repository gentoo: Tue, 03 Apr 2018 02:00:01 +0000

Head commit of repository gentoo: 5558078abf664d63fead55f6fde1d4b95d18e426

sh bash 4.4_p12

ld GNU ld (Gentoo 2.29.1 p3) 2.29.1

app-shells/bash:          4.4_p12::gentoo

dev-lang/perl:            5.24.3-r1::gentoo

dev-lang/python:          2.7.14-r1::gentoo, 3.5.4-r1::gentoo

dev-util/cmake:           3.9.6::gentoo

dev-util/pkgconfig:       0.29.2::gentoo

sys-apps/baselayout:      2.4.1-r2::gentoo

sys-apps/openrc:          0.34.11::gentoo

sys-apps/sandbox:         2.13::gentoo

sys-devel/autoconf:       2.13::gentoo, 2.69-r4::gentoo

sys-devel/automake:       1.15.1-r2::gentoo

sys-devel/binutils:       2.29.1-r1::gentoo

sys-devel/gcc:            6.4.0-r1::gentoo

sys-devel/gcc-config:     1.8-r1::gentoo

sys-devel/libtool:        2.4.6-r3::gentoo

sys-devel/make:           4.2.1::gentoo

sys-kernel/linux-headers: 4.13::gentoo (virtual/os-headers)

sys-libs/glibc:           2.25-r11::gentoo

Repositories:

gentoo

    location: /usr/portage

    sync-type: rsync

    sync-uri: rsync://rsync.gentoo.org/gentoo-portage

    priority: -1000

    sync-rsync-extra-opts: 

    sync-rsync-verify-metamanifest: no

steam-overlay

    location: /var/lib/layman/steam-overlay

    masters: gentoo

    priority: 50

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-O2 -pipe -march=native"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -pipe -march=native"

DISTDIR="/usr/portage/distfiles"

FCFLAGS="-O2 -pipe"

FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

FFLAGS="-O2 -pipe"

GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo http://lug.mtu.edu/gentoo/ ftp://lug.mtu.edu/gentoo/ http://cosmos.illinois.edu/pub/gentoo/ ftp://cosmos.illinois.edu/pub/gentoo/"

LANG="en_US.utf8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j5"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"

PORTAGE_TMPDIR="/var/tmp"

USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam flac fortran gdbm gif git glamor gpm gtk iconv ipv6 jpeg lcms ldap libnotify mad mng modules mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio qt3support readline sdl seccomp spell ssl startup-notification steamruntime svg tcpd tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 xattr xcb xml xv xvid zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 fma4 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 xop" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5" RUBY_TARGETS="ruby22 ruby23" USERLAND="GNU" VIDEO_CARDS="amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
```

Last edited by statikregimen on Wed Apr 04, 2018 4:18 pm; edited 1 time in total

----------

## ct85711

I know when I checked on my system, unix_chkpwd came up with permissions as 0711.  I can't really say if xscreensaver locking works or not for my system, as I don't use that side.  What would be interesting, is finding out if that file defaults as 0711 when pam is installed or was it possibly changed in a earlier version or changed by some other package.

I may just do a little test on my system, by intentionally breaking the system and removing pam; and reinstall it and see what the permissions of that file is

Note: I am fully aware, in doing so I get to pick up all pieces; and DO NOT recommend anyone do the same thing without knowing exactly what they are doing.

Update:

Well, I confirmed for my system at least, unix_chkpwd comes by default with permissions of 0711 only.  This was tested, but completely remove pam from system and verify the file is gone; then freshly recompiling pam again and rechecking the file's permissions.

```

Using username "ct85711".

Oate /home/ct85711 # emerge -pv pam xorg-server

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] sys-libs/pam-1.3.0-r2::gentoo  USE="berkdb cracklib filecaps nls pie -audit -debug -nis (-selinux) {-test} -vim-syntax" ABI_X86="(64) -32 (-x32)" 0 KiB

[ebuild   R    ] x11-base/xorg-server-1.19.5-r1:0/1.19.5::gentoo  USE="dmx glamor ipv6 kdrive suid udev xcsecurity xephyr xnest xorg xvfb -debug -doc -libressl -minimal (-selinux) -static-libs -systemd -tslib -unwind -wayland" 0 KiB

Total: 2 packages (2 reinstalls), Size of downloads: 0 KiB

Oate /home/ct85711 # ls -l /sbin/unix_chkpwd

-rwx--x--x 1 root root 31224 Apr  4 03:27 /sbin/unix_chkpwd

Oate /home/ct85711 # emerge -pv xscreensaver

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] x11-misc/xscreensaver-5.38::gentoo  USE="jpeg opengl pam perl xinerama -gdm -new-login -offensive (-selinux) -suid" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

```

----------

## Hu

ct85711, thank you for prompting me to look more closely.  If sys-libs/pam is built with USE=filecaps, it can install a mode 711 unix_chkpwd and rely on file capabilities to grant CAP_DAC_OVERRIDE.  If built without file caps, unix_chkpwd must be 4711 so that it gets CAP_DAC_OVERRIDE (and many other unnecessary capabilities) as a result of being suid root.  So if the OP had built with USE=filecaps, then telling him to enable suid was wrong.  OP: what is the output of emerge --pretend --verbose sys-libs/pam?

----------

## statikregimen

 *Hu wrote:*   

> OP: what is the output of emerge --pretend --verbose sys-libs/pam?

 

```
[ebuild   R    ] sys-libs/pam-1.2.1-r2::gentoo  USE="berkdb cracklib filecaps nls pie -audit -debug -nis (-selinux) {-test}" ABI_X86="(64) -32 (-x32)" 0 KiB
```

[Moderator edit: added [code] tags to preserve output layout. -Hu]

----------

## Hu

My advice may have worked, but since you have USE=filecaps, my advice was the wrong solution.  We need to determine whether unix_chkpwd had the file capability annotation.  If it did, we need to know why it did not work for you.  If it did not, we need to know why it did not, since USE=filecaps should have caused it to be there.  If you re-emerge sys-libs/pam, keeping USE=filecaps, what is the output of ls -l /sbin/unix_chkpwd ; getcap /sbin/unix_chkpwd?  How did you install PAM previously?  Was this system created using only Portage to install files or were some files installed through other means, such as cp -r from some other source?

----------

## statikregimen

 *Hu wrote:*   

> My advice may have worked, but since you have USE=filecaps, my advice was the wrong solution.  We need to determine whether unix_chkpwd had the file capability annotation.  If it did, we need to know why it did not work for you.  If it did not, we need to know why it did not, since USE=filecaps should have caused it to be there.  If you re-emerge sys-libs/pam, keeping USE=filecaps, what is the output of ls -l /sbin/unix_chkpwd ; getcap /sbin/unix_chkpwd?  How did you install PAM previously?  Was this system created using only Portage to install files or were some files installed through other means, such as cp -r from some other source?

 

After re-emerging pam:

```
# ls -l /sbin/unix_chkpwd 

-rws--x--x 1 root root 31184 Apr  5 22:57 /sbin/unix_chkpwd
```

pam should have been installed automagically based on my profile or as a dependency of something...

```
$ eselect profile show

Current /etc/portage/make.profile symlink:

  default/linux/amd64/17.0/desktop

```

----------

## Hu

Something is strange here.  If you have USE=filecaps, your file should not be suid, and should have a file capability.  Your older output says you have USE=filecaps.  Your most recent post says you have suid.  You did not show getcap.  Please show that, and add -v so that it prints even if there are no capabilities.

Yes, pam is a dependency.  I wanted to know if this system had been installed through Portage or had been copied from a working Gentoo install.  The latter might, depending on options used, lose file capabilities.

----------

## statikregimen

wtf...? I swear I copied/pasted the command you were looking for...

```
# ls -lv /sbin/unix_chkpwd ; getcap /sbin/unix_chkpwd

-rws--x--x 1 root root 31184 Apr  5 22:57 /sbin/unix_chkpwd

Failed to get capabilities of file `/sbin/unix_chkpwd' (Operation not supported)
```

The system was installed entirely via Portage - no files copied from elsewhere.

I'm not sure what you mean about my older posts showing filecaps vs most recent?

----------

## Hu

I wanted -v on getcap, not on ls.  However, the error message you received is good enough.  There is no need to provide getcap -v now.  I interpret that error message to mean that your filesystem does not support file capabilities.  What type of filesystem did you use for the /sbin directory?  What mount options are set for it?

Regarding USE=filecaps vs suid: if you build the package with USE=filecaps, then unix_chkpwd should not be suid and should have a file capability annotation.  If you build with USE=-filecaps, then unix_chkpwd should be suid.  In your most recent post where you showed the USE flags, you have USE=filecaps, so I would expect you not to have the suid flag on unix_chkpwd.  However, your most recent post where you showed permissions shows that unix_chkpwd is suid.  So either you set it manually, per my (now known to be incorrect) advice earlier in the thread, or something else strange is happening.

----------

## statikregimen

Sorry for the delayed response. I use ext4 for everything

I did in fact change the permissions per your original suggestion prior to learning that it was not the proper solution. I'm not sure how to undo it. I need to educate myself quite a bit more on this stuff.

----------

## Hu

 *statikregimen wrote:*   

> I did in fact change the permissions per your original suggestion prior to learning that it was not the proper solution. I'm not sure how to undo it. I need to educate myself quite a bit more on this stuff.

 You said you re-emerged PAM, then showed output indicating that the permissions were suid.  If you re-emerged pam with USE=filecaps, that should not have happened, unless you reapplied the permissions change by hand.

You can undo it by setting the permissions back to what they were: 711.

Do you have EXT4_FS_SECURITY enabled in your kernel configuration?  If I read the kernel source correctly, that is required to use file capabilities on ext4.

----------

## pablo_supertux

Hi

sorry to revive such an old thread, but I'm dealing with exact the same issue here.

neither xscreensaver nor mate-screensaver did accept my password, on the log files, I also got

 *Quote:*   

> 
> 
> Mar 26 11:05:13 gallifrey xscreensaver[6632]: FAILED LOGIN 1 ON DISPLAY ":0.0", FOR "shaoran"
> 
> Mar 26 11:05:17 gallifrey unix_chkpwd[6684]: check pass; user unknown
> ...

 

so after reading this thread I realized that /sbin/unix_chkpwd did not have suid bit set so I tried the chmod 4711 and now it works. However I kept reading and found this:

 *Hu wrote:*   

> My advice may have worked, but since you have USE=filecaps, my advice was the wrong solution.  We need to determine whether unix_chkpwd had the file capability annotation.  If it did, we need to know why it did not work for you.  If it did not, we need to know why it did not, since USE=filecaps should have caused it to be there.  If you re-emerge sys-libs/pam, keeping USE=filecaps, what is the output of ls -l /sbin/unix_chkpwd ; getcap /sbin/unix_chkpwd?  How did you install PAM previously?  Was this system created using only Portage to install files or were some files installed through other means, such as cp -r from some other source?

 

My pam has the filecaps USE flag set, so that's why suid was not set. However the getcap command shows no output and exists with return status 0:

```

# getcap /sbin/unix_chkpwd ; echo $?

0

# getcap -v /sbin/unix_chkpwd ; echo $?

/sbin/unix_chkpwd

0

```

 *Quote:*   

> 
> 
> Do you have EXT4_FS_SECURITY enabled in your kernel configuration? If I read the kernel source correctly, that is required to use file capabilities on ext4.
> 
> 

 

Yes, it it set.

```

# zcat /proc/config.gz | grep EXT4_FS_SECURITY

CONFIG_EXT4_FS_SECURITY=y

```

In the OP case, getcap returned a "Operation not supported", in my case I just get no output. I don't know how to interpret it. How can I get xscreensaver to work without the incorrect solution if setting suid?

----------

## Hu

For me, unix_chkpwd is mode 711 and the getcap output is:

```
# getcap /sbin/unix_chkpwd

/sbin/unix_chkpwd cap_dac_override=ep
```

My =sys-libs/pam-1.5.1 has USE=filecaps enabled.  I think we need to understand why your pam is installed without the capabilities enabled.  Is your filesystem mounted with xattr enabled?

----------

## pablo_supertux

 *Hu wrote:*   

> I think we need to understand why your pam is installed without the capabilities enabled.  Is your filesystem mounted with xattr enabled?

 

I don't know how to check that. My /etc/fstab looks like this:

```

UUID="f3963fed-6fab-45b2-870e-c654dbaeb62c"  /            ext4       noatime     0 1

```

but I also boot with an initrd generated by dracut with this config:

```

# Equivalent to -H

hostonly="yes"

omit_dracutmodules+=" dash biosdevname"

show_modules="yes"

i18n_vars="/etc/conf.d/keymaps:keymap-KEYMAP,extended_keymaps-EXT_KEYMAPS /etc/conf.d/consolefont:consolefont-FONT,consoletranslation-FONT_MAP /etc/rc.conf:unicode-UNICODE"

```

and I build my initrd with dracut -i /lib/firmware/nvidia /lib/firmware/nvidia --kver <kernel version> --force.

The directory /run/initramfs/log/ is empty and dmesg has only a few lines:

```

$ dmesg  | grep dracut

[    2.662341] dracut: Checking ext4: /dev/disk/by-uuid/f3963fed-6fab-45b2-870e-c654dbaeb62c

[    2.663005] dracut: issuing e2fsck -a  /dev/disk/by-uuid/f3963fed-6fab-45b2-870e-c654dbaeb62c

[    2.668781] dracut: ROOT: clean, 876388/34422784 files, 20200095/137685169 blocks

[    2.670178] dracut: Mounting /dev/disk/by-uuid/f3963fed-6fab-45b2-870e-c654dbaeb62c with -o rw,noatime,ro

[    2.685973] dracut: Mounted root filesystem /dev/nvme0n1p5

[    2.704281] dracut: Switching root

```

It's strange that dracut mounts my root partition with rw and ro at the same time, never noticed that.

My GRUB_CMDLINE_LINUX variable has only one value "net.ifnames=0", so grub-mkconfig generated this config:

```

    echo    'Loading Linux 5.4.97-gentoo ...'

    linux   /boot/kernel-5.4.97-gentoo root=UUID=f3963fed-6fab-45b2-870e-c654dbaeb62c ro net.ifnames=0 

    echo    'Loading initial ramdisk ...'

    initrd  /boot/initramfs-5.4.97-gentoo.img

```

----------

## Hu

I asked my above question thinking about user xattrs, which must be enabled separately.  However, your problem is with capability xattrs.  I see nothing in the documentation suggesting that you need special mounting to facilitate those, so I don't know why your system is not already working.  I have no further advice at this time.  Sorry.

----------

## pablo_supertux

 *Hu wrote:*   

> I asked my above question thinking about user xattrs, which must be enabled separately.

 

amd how do I set user xattrs?

 *Hu wrote:*   

> However, your problem is with capability xattrs.

 

I must confess, I don't understand what's the difference.

 *Hu wrote:*   

> I have no further advice at this time.  Sorry.

 

no worries, thanks anyway.

----------

## Hu

You would need the mount option user_xattr, either implicitly or explicitly, to allow use of user xattrs.  However, since those are not relevant to your problem, fixing that will not help you.

User xattrs and capability xattrs are in different parts of the xattr namespace, and serve different purposes.  Capability xattrs are how file capabilities are implemented/remembered.

----------

## pablo_supertux

 *Hu wrote:*   

> You would need the mount option user_xattr, either implicitly or explicitly, to allow use of user xattrs.  However, since those are not relevant to your problem, fixing that will not help you.
> 
> User xattrs and capability xattrs are in different parts of the xattr namespace, and serve different purposes.  Capability xattrs are how file capabilities are implemented/remembered.

 

Thanks for explaining it, but I'm still a little bit confused. Do you have a wiki page/article that explain these things in more detail?

But I also would like to know: who is responsible for setting the capability xattrs to /sbin/unix_chkpwd? The build system, the package maintainer, the sysadmin aka user? And how do you do that. Also what does really cap_dac_override=ep really mean?

----------

## Hu

I know of no documentation to which to refer you, though it probably exists somewhere.

Capabilities can be set by the upstream build system or by the ebuild.  In this case, I see as the end of sys-libs/pam's pkg_postinst:

```
    # The pam_unix module needs to check the password of the user which requires

    # read access to /etc/shadow only.

    fcaps cap_dac_override sbin/unix_chkpwd

```

Thus, for this package, the answer is that the ebuild sets it.  End users should never need to set permissions or capabilities on files installed by Portage, because those files may be replaced on upgrade and the user's changes lost.  This would lead to considerable tedium for users.

You can set capabilities using setcap.  cap_dac_override=ep means that the capability DAC_OVERRIDE is both effective and permitted.  Per man capabilities:

```
       CAP_DAC_OVERRIDE

              Bypass  file  read, write, and execute permission checks.  (DAC is an ab‐

              breviation of "discretionary access control".)
```

For this purpose, it means that unix_chkpwd can read and write files that its owning uid (your regular user) ordinarily cannot access.  This allows it to read your hashed password from /etc/shadow, which is otherwise readable only by root.  When run without this capability, it cannot read /etc/shadow, so it cannot determine whether the entered password is the correct one.

----------

## pablo_supertux

OK, thanks.

I just set the capability by hand with setcap cap_dac_override=ep /sbin/unix_chkpwd and now when I do getcap I get this:

```

$ getcap /sbin/unix_chkpwd 

/sbin/unix_chkpwd cap_dac_override=ep

```

I then removed the suid bit and locked xscreensaver and now it accepted the password. Great!

Only thing I don't understand is why the capabilities were not set, even though USE=filecaps is set for sys-libs/pam:

```

# emerge sys-libs/pam -pv

 * WARNING: The FEATURES variable contains one or more values that

 * should be disabled under normal circumstances: keepwork

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] sys-libs/pam-1.5.1::gentoo  USE="berkdb filecaps (split-usr) -audit -debug -nis (-selinux)" ABI_X86="32 (64) (-x32)" 1,382 KiB

```

I wonder whether there are other packages where the ebuild set the capability but the files themselves do not have any capability set. euse -I shows a couple of packages , for example iputils sets capabilities for bin/ping and bin/arping and getcap shows capabilities for these files.

Anyway, you helped me a lot, thanks   :Very Happy: 

----------

