https://bugs.kde.org/show_bug.cgi?id=458540
Oleg Solovyov <mcp...@altlinux.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|WAITINGFORINFO |---
Status|NEEDSINFO |REPORTED
--- Comment #7 from Oleg Solovyov <mcp...@altlinux.org> ---
(In reply to David Edmundson from comment #6)
> >Our distro uses tcb with users have their own /etc/tcb/<user>/shadow
> >As of consequence, password checker has to be in chkpwd group with sgid bit
> >set.
>
> Are you sure?
>
> Looking at TCB code (support.c) it has an explicit path for when we're not
> running as root.
>
> ```
> if (uid == geteuid() && uid == pw->pw_uid && uid != 0) {
> /* We are not root perhaps this is the reason? */
> D(("running helper binary"));
> retval = unix_run_helper_binary(user, pass);
> ```
>
> Which from the make file seems to invoke $(LIBEXECDIR)/chkpwd/tcb_chkpwd
>
Yes. Can't prove why but I tested with sgid bit removed and I can't unlock my
session.
That's why kcheckpass had attrs:
-rwx--s--x 1 root chkpwd [...] /usr/libexec/kf5/kcheckpass
Now same attrs should be on kscreenlocker_greet:
-rwx--s--x 1 root chkpwd 149864 авг 26 17:18
/usr/libexec/kf5/kscreenlocker_greet
I don't think it's a good idea to give sgid to the whole greeter instead of
kcheckpass which is small and written w/o Qt
Also:
#l /usr/lib/chkpwd/
итого 16
drwxr-xr-x 1 root root 20362 сен 5 10:39 ../
drwx--x--- 1 root chkpwd 20 фев 17 2022 ./
-rwx--s--x 2 root shadow 14528 авг 24 2021 tcb_chkpwd
--
You are receiving this mail because:
You are watching all bug changes.
