Bug 326304

Summary: xscreensaver: "permissions on the password database may be too restrictive" when unlocking the screen
Product: [openSUSE] openSUSE 10.3 Reporter: Lenz Grimmer <lgrimmer>
Component: X11 ApplicationsAssignee: Stanislav Brabec <sbrabec>
Status: RESOLVED FIXED QA Contact: Stefan Dirsch <sndirsch>
Severity: Normal    
Priority: P5 - None CC: geoff, john, mnodora, rellick
Version: Beta 3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 365549    

Description Lenz Grimmer 2007-09-19 10:27:49 UTC 
Enabling xscreensaver using "xscreensaver-command -lock" works fine. When I unlock the screen, it prompts for a password and accepts it. Then, a new popup comes up which reads "Permissions on the password database may be too restrictive". This message is confusing and has not appeared in previous versions.
Comment 1 Marvin Nodora 2007-10-11 23:14:51 UTC 
Repeatable with the 10.3 release version.
Comment 2 Geoff Kuenning 2008-01-17 09:54:32 UTC 
This is the PAM audit_log_acct_message bug that also shows up in imapd and sshd.  Each time it appears, the message "xscreensaver: PAM audit_log_acct_message() failed: Operation not permitted" shows up in the system logs.  I suspect that xscreensaver isn't properly managing its setuid status when calling PAM.  See bug 331683 for additional information.
Comment 3 Stanislav Brabec 2008-01-17 15:03:08 UTC 
It looks like xscreensaver calls pam with user privileges, even if it has SUID flag.

Hopefully, it supports also PAM compatible password helper support.
Comment 4 Stanislav Brabec 2008-01-17 15:18:07 UTC 
Testing packages using helper. Please let me know, whether it works for you. For me it reports no error.

http://pack.suse.cz/sbrabec/bug326304/
Comment 7 Lenz Grimmer 2008-01-17 16:00:54 UTC 
Thanks for providing the update - it fixes the problem for me, the message is gone.

However, I see the following messages when starting xscreensaver:

lenz@metis:~> xscreensaver
xscreensaver: couldn't get password of "lenz"
xscreensaver: couldn't get password of "root"
Comment 8 Stanislav Brabec 2008-01-17 17:35:32 UTC 
Confirming.

This message has no real meaning with PAM helper. Disabling it.

New packages are available at the same URL for both 10.3 and Factory.


#ifndef HAVE_PAM 
  /* We only issue this warning if not compiled with support for PAM. 
     If we're using PAM, it's not unheard of that normal pwent passwords 
     would be unavailable. */

  if (!result)
    fprintf (stderr, "%s: couldn't get password of \"%s\"\n",
             blurb(), (user ? user : "(null)"));
#endif /* !HAVE_PAM */ 

It appears even with --disable-shadow
Comment 11 Stanislav Brabec 2008-01-21 12:41:22 UTC 
It would be nice to release this fix altogether with fig of the bug 235715.
Comment 12 Stanislav Brabec 2008-03-03 13:40:56 UTC 
I found a dependency problem:

pam is no more required implicitly by the xscreensaver. We have to require /sbin/unix2_chkpwd explicitly to prevent theoretically possible problems, if pam is not installed.

Fixing now.
Comment 13 Stanislav Brabec 2008-03-06 16:18:23 UTC 
Problem is fixed in Factory.

For 10.3 fix is submitted as well but the release is postponed and waiting for correct fix of bug 235715.