Yubico / yubico-pam

Yubico Pluggable Authentication Module (PAM)
https://developers.yubico.com/yubico-pam
BSD 2-Clause "Simplified" License
689 stars 114 forks source link

Yubikey fails to unlock cinnamon screensaver -fix #253

Open ZenAdm1n opened 10 months ago

ZenAdm1n commented 10 months ago

This is similar to issue #113 but pertains to Cinnamon Desktop on LMDE and probably Linux Mint. This is my fix, but I'm curious if it's the best way to go about resolving the issue or is this introducing security issues I'm overlooking? Originally I was using "cap_dac_overide", but is overkill because I don't need full control.

After an upgrade to LMDE 6 (faye) the previous fix to enable Yubikey HMAC-SHA1 unlock of the cinnamon-screensaver was no longer working. I was dropping to a terminal and running cinnamon-unlock-desktop in order to get back in after hibernation. After a few days I had dozens of the following process running after I checked btop, "cinnamon-screensaver-pam-helper". So that's the new program that needs permission to read the Yubikey when I'm not logged in. It was continuing to run every time I bypassed it. Like the previous Yubikey screensaver fixes use "setcap"

sudo setcap cap_dac_read_search+ep /usr/lib/x86_64-linux-gnu/cinnamon-screensaver/cinnamon-screensaver-pam-helper

From "man setcap" CAP_DAC_READ_SEARCH • Bypass file read permission checks and directory read and execute permission checks; • invoke open_by_handle_at(2); • use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a file descriptor.

In short this gives the helper application a root read/execute permission it wouldn't normally have. To remove the permission on any previous screensaver helper use "setcap -r filename, e.g. "setcap -r /usr/lib/mate-screensaver/mate-screensaver-dialog" or "setcap -r /usr/bin/cinnamon-screensaver-lock-dialog"

More at this Github Issue

Originally posted this fix here: https://forums.linuxmint.com/viewtopic.php?t=412210