This is similar to issue #113 but pertains to Cinnamon Desktop on LMDE and probably Linux Mint. This is my fix, but I'm curious if it's the best way to go about resolving the issue or is this introducing security issues I'm overlooking? Originally I was using "cap_dac_overide", but is overkill because I don't need full control.
After an upgrade to LMDE 6 (faye) the previous fix to enable Yubikey HMAC-SHA1 unlock of the cinnamon-screensaver was no longer working. I was dropping to a terminal and running cinnamon-unlock-desktop in order to get back in after hibernation. After a few days I had dozens of the following process running after I checked btop, "cinnamon-screensaver-pam-helper". So that's the new program that needs permission to read the Yubikey when I'm not logged in. It was continuing to run every time I bypassed it. Like the previous Yubikey screensaver fixes use "setcap"
From "man setcap"
CAP_DAC_READ_SEARCH • Bypass file read permission checks and directory read and execute permission checks; • invoke open_by_handle_at(2); • use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a file descriptor.
In short this gives the helper application a root read/execute permission it wouldn't normally have. To remove the permission on any previous screensaver helper use "setcap -r filename, e.g. "setcap -r /usr/lib/mate-screensaver/mate-screensaver-dialog"
or "setcap -r /usr/bin/cinnamon-screensaver-lock-dialog"
This is similar to issue #113 but pertains to Cinnamon Desktop on LMDE and probably Linux Mint. This is my fix, but I'm curious if it's the best way to go about resolving the issue or is this introducing security issues I'm overlooking? Originally I was using "cap_dac_overide", but is overkill because I don't need full control.
After an upgrade to LMDE 6 (faye) the previous fix to enable Yubikey HMAC-SHA1 unlock of the cinnamon-screensaver was no longer working. I was dropping to a terminal and running cinnamon-unlock-desktop in order to get back in after hibernation. After a few days I had dozens of the following process running after I checked btop, "cinnamon-screensaver-pam-helper". So that's the new program that needs permission to read the Yubikey when I'm not logged in. It was continuing to run every time I bypassed it. Like the previous Yubikey screensaver fixes use "setcap"
sudo setcap cap_dac_read_search+ep /usr/lib/x86_64-linux-gnu/cinnamon-screensaver/cinnamon-screensaver-pam-helper
From "man setcap"
CAP_DAC_READ_SEARCH • Bypass file read permission checks and directory read and execute permission checks; • invoke open_by_handle_at(2); • use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a file descriptor.
In short this gives the helper application a root read/execute permission it wouldn't normally have. To remove the permission on any previous screensaver helper use "setcap -r filename, e.g. "setcap -r /usr/lib/mate-screensaver/mate-screensaver-dialog" or "setcap -r /usr/bin/cinnamon-screensaver-lock-dialog"
More at this Github Issue
Originally posted this fix here: https://forums.linuxmint.com/viewtopic.php?t=412210