Screen doesn't unlock even when providing the correct user password Reproducible: Always Steps to Reproduce: 1. Lock screen 2. Try to unlock Actual Results: Screen still locked Expected Results: Screen unlocked Setting setuid bit to /usr/lib/libexec/kcheckpass solves the problem: chmod u+s /usr/lib/libexec/kcheckpass
Please add emerge --info, and check if there's any relevant messages in ~/.xsession_errors after the unlocking failure.
Portage 2.2.24 (python 2.7.10-final-0, default/linux/amd64/13.0/desktop/plasma/systemd, gcc-4.9.3, glibc-2.22-r1, 4.2.3-gentoo x86_64) ================================================================= System uname: Linux-4.2.3-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_X5650_@_2.67GHz-with-gentoo-2.2 KiB Mem: 6099024 total, 1792208 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Sun, 08 Nov 2015 08:41:47 +0000 sh bash 4.3_p42 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 app-shells/bash: 4.3_p42::gentoo dev-java/java-config: 2.2.0::gentoo dev-lang/perl: 5.22.0::gentoo dev-lang/python: 2.7.10-r2::gentoo, 3.4.3-r2::gentoo dev-util/cmake: 3.3.2-r1::gentoo dev-util/pkgconfig: 0.29::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.18.3::gentoo sys-apps/sandbox: 2.9::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r1::gentoo sys-devel/automake: 1.11.6-r1::gentoo, 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 4.9.3::gentoo sys-devel/gcc-config: 1.8::gentoo sys-devel/libtool: 2.4.6-r1::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers) sys-libs/glibc: 2.22-r1::gentoo Repositories: gentoo location: /usr/portage sync-type: git sync-uri: https://github.com/gentoo-mirror/gentoo.git priority: -1000 LocalOverlay location: /usr/local/portage masters: gentoo priority: 0 c2p-overlay location: /var/lib/layman/c2p-overlay masters: gentoo priority: 50 emc location: /var/lib/layman/emc masters: gentoo priority: 50 gentoo-zh location: /var/lib/layman/gentoo-zh masters: gentoo priority: 50 gnome location: /var/lib/layman/gnome masters: gentoo priority: 50 jorgicio location: /var/lib/layman/jorgicio masters: gentoo priority: 50 kde location: /var/lib/layman/kde sync-type: laymansync sync-uri: git://anongit.gentoo.org/proj/kde.git masters: gentoo priority: 50 miramir location: /var/lib/layman/miramir masters: gentoo priority: 50 mrueg location: /var/lib/layman/mrueg masters: gentoo priority: 50 mv location: /var/lib/layman/mv masters: gentoo priority: 50 open-overlay location: /var/lib/layman/open-overlay masters: gentoo priority: 50 pentoo location: /var/lib/layman/pentoo masters: gentoo priority: 50 plab location: /var/lib/layman/plab masters: gentoo priority: 50 quarks location: /var/lib/layman/quarks masters: gentoo priority: 50 slyfox location: /var/lib/layman/slyfox masters: gentoo priority: 50 vmware location: /var/lib/layman/vmware masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=corei7 -O2 -pipe -ggdb" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.3/conf" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=corei7 -O2 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS=" --quiet-build=y" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fail-clean fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://mirror.ovh.net/gentoo-distfiles/ http://mirror.ovh.net/gentoo-distfiles/ http://gentoo-euetib.upc.es/mirror/gentoo/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="--jobs=7 --silent --load-average=7 " PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp/" USE="X a52 aac acl acpi alsa amd64 avahi bash-completion berkdb bindist bluetooth branding bzip2 cairo cdda cdr cli cracklib crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode exif fam ffmpeg firefox flac fortran fuse gdbm gif glamor gpm gtk iconv icu ipv6 jpeg kipi lcms libnotify lm_sensors lock mad mmx mmxext mng modules mp3 mp4 mpeg multilib ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf phonon plasma png policykit ppds pulseaudio qml qt3support qt5 readline sdl seccomp semantic-desktop session sound spell sse sse2 ssl startup-notification svg systemd tcpd thunar tiff truetype udev udisks unicode upower usb vorbis widgets wxwidgets x264 xattr xcb xcomposite xfce xinerama xml xscreensaver xv xvid zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" DRACUT_MODULES="lvm" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="synaptics evdev vmmouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en es ca" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby22" USERLAND="GNU" VIDEO_CARDS="intel vmware nvidia nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS Related: https://bugs.kde.org/show_bug.cgi?id=353440
No errors in ~/.xsession_errors
Do you happen to have kde-base/kcheckpass installed?
No, I don't have it installed. It did not get installed with packet plasma-desktop.
Relevant errors might be in /var/log/messages
Please show us the output of `ls -l /etc/pam.d/kde*`.
I haven't seen any errors in /var/log/messages Output of ls -l /etc/pam.d/kde*: -rw-r--r-- 1 root root 226 Nov 13 16:19 /etc/pam.d/kde -rw-r--r-- 1 root root 217 Nov 13 16:19 /etc/pam.d/kde-np
The timestamp suggests these files come from kde-base/kdebase-pam::gentoo. There is now kde-plasma/plasma-workspace-5.4.3-r1 in kde overlay that makes sure these files can not be claimed by kde-base/kdebase-pam (and subsequently removed). Please try again after upgrade and without SUID.
Still no luck. After upgrading LDDM doesn't start. I have started Plasma using SLIM but I still have the same issue. Seems that files in pam.d have been modified: -rw-r--r-- 1 root root 226 Nov 15 13:59 /etc/pam.d/kde -rw-r--r-- 1 root root 217 Nov 15 13:59 /etc/pam.d/kde-np
Please check: # equery l sys-libs/pam # ls -l /sbin/unix_chkpwd
# equery l sys-libs/pam * Searching for pam in sys-libs ... [IP-] [ ] sys-libs/pam-1.2.1-r1:0 # ls -l /sbin/unix_chkpwd -rwx--x--x 1 root root 31232 Aug 4 17:01 /sbin/unix_chkpwd Now I'm using plasma-workspace-5.5.3: # equery l plasma-workspace * Searching for plasma-workspace ... [IP-] [ ] kde-plasma/plasma-workspace-5.5.3:5
So no SUID on unix_chkwpd. It seems that particular pam version is making trouble if built with USE=filecaps, or another required condition is not met on several systems. You can try to rebuild pam with USE=-filecaps, it should make a difference.
Seems that after installing sys-libs/pam without the filecaps flag /sbin/unix_chkpwd has the SUID bit set and I can unlock the screen without setting the SUID bit to kcheckpass: # ls -l /sbin/unix_chkpwd -rws--x--x 1 root root 31240 Jan 18 10:34 /sbin/unix_chkpwd Is it a bug or I don't have capabilites well configured? thanks!
I tested this a bit on my system. Turns out that USE=filecaps will behave differently if certain kernel options are met. If you have kernel options missing, you should see the following elog messages after installing pam: * Could not set caps on '/sbin/unix_chkpwd' due to missing filesystem support: * * enable XATTR support for 'ext2/ext3' in your kernel (if configurable) * * mount the fs with the user_xattr option (if not the default) * * enable the relevant FS_SECURITY option (if configurable) Checking /sbin/unix_chkpwd, it then has -rws--x--x as a fallback and unlocking works. So I got back to kernel config and enabled FS_SECURITY which was missing on my system, rebooted into the new kernel image, re-emerged pam with standard flags (that means USE=filecaps) and now the permissions have changed to yours: -rwx--x--x However, I can still unlock fine. I don't know really at what point systemd comes into play; however please check if you have set the mandatory kernel options for systemd: https://wiki.gentoo.org/wiki/Systemd#Kernel
I just had missing the options: [*] Configure standard kernel features (expert users) ---> [*] Enable eventpoll support [*] Enable signalfd() system call [*] Enable timerfd() system call But I don't think their are relevant to the problem. Could be because I am using ZFS? (although I have ZFS xattr property enabled)
I've got the same issue with sys-libs/pam-1.2.1-r1 and kde-plasma/kscreenlocker-5.5.5. The workaround I found was: chmod g=r /etc/shadow chmod o=r /etc/shadow chmod u+s /usr/lib64/libexec/kcheckpass But rebuilding pam with -filecaps resolves the problem. Thank you, guys.
Still a problem: de-plasma/kscreenlocker Installierte Versionen: Version: 5.6.2(5)^t USE: pam -debug -test * kde-plasma/sddm-kcm Installierte Versionen: Version: 5.6.2(5) * x11-misc/sddm Installierte Versionen: Version: 0.13.0-r3 USE: consolekit pam -systemd * sys-libs/pam Installierte Versionen: Version: 1.2.1-r1 * kde-plasma/ksshaskpass Installierte Versionen: Version: 5.6.2(5) [8] default/linux/amd64/13.0/desktop/plasma * kcheckpass is not installed
(In reply to Attila Stehr from comment #18) > Still a problem: Still now? What file system do you use, did you check your kernel config according to the above?
*** Bug 626034 has been marked as a duplicate of this bug. ***
(In reply to Andreas Sturmlechner from comment #19) > (In reply to Attila Stehr from comment #18) > > Still a problem: > > Still now? What file system do you use, did you check your kernel config > according to the above? I happend this in plasma 5.10.x . Can't fix by 'chmod u+s /usr/lib/libexec/kcheckpass' command.
(In reply to kendling from comment #21) > Can't fix by 'chmod u+s /usr/lib/libexec/kcheckpass' command. You didn't read much of the bug if that is all you tried. It is also _not_ recommended to change kcheckpass permissions like that.
(In reply to Andreas Sturmlechner from comment #22) > (In reply to kendling from comment #21) > > Can't fix by 'chmod u+s /usr/lib/libexec/kcheckpass' command. > You didn't read much of the bug if that is all you tried. It is also _not_ > recommended to change kcheckpass permissions like that. I try emerge sys-libs/pam-1.2.1-r1 and sys-libs/pam-1.3.0 with -filecaps uses today. And the recompile the kernel with options below. [*] Configure standard kernel features (expert users) ---> [*] Enable eventpoll support [*] Enable signalfd() system call [*] Enable timerfd() system call They are not work. Have another option to try?
How do you start into your Plasma session?
(In reply to Andreas Sturmlechner from comment #24) > How do you start into your Plasma session? I start Plasma session from SDDM.
(In reply to kendling from comment #25) > I happend this in plasma 5.10.x . > > Can't fix by 'chmod u+s /usr/lib/libexec/kcheckpass' command. You are likely experiencing a different bug, see bug 627748
(In reply to Andreas Sturmlechner from comment #26) > (In reply to kendling from comment #25) > > I happend this in plasma 5.10.x . > > > > Can't fix by 'chmod u+s /usr/lib/libexec/kcheckpass' command. > > You are likely experiencing a different bug, see bug 627748 I tried kscreenlocker with -seccomp useflag, not worked. kde-plasma/kscreenlocker-5.10.5.1 [-seccomp] sys-auth/consolekit-1.1.2 sys-apps/dbus-1.10.8 sys-apps/openrc-0.28 x11-misc/sddm-0.14.0-r2
Hi everybody. I found the reason. It's work when I unmerge fingerprint-gui package.
(In reply to kendling from comment #28) > It's work when I unmerge fingerprint-gui package. That's interesting. Please try with the current version of fingerprint-gui, 1.09-r1.
We haven't gotten new bug reports in quite a while, so whatever the cause I consider it fixed by now.
