PAM cinnamon-screensaver does not unlock

[DirkHaar]

After upgrading LM Cinnamon 18.1 simply by installing it over V18 unlocking the screen saver or manual screenlock dosn't work at all. No matter what password I use, unlocking is denied with wrong password, even abcdefgh or 12345678 and empty passwords, too. Only one (German) keyboard layout is installed, which is identical to the English one at least for any password I tried with 18.1. Useless to say that the "wrong" password is used to login, and even using it in a terminal via CTRL-ALT-F1 for "killall cinnamon-screensaver" does work. Killing the pw, restart, set one and restart and so one was heavily tested, with no success. While there are lots of issues around cinnamon-screensaver I haven't found this one on 18.1, and in the meantime I don't think it depends on my update itself but is a bug. Does anyone have an idea?

I'm not shure (as not experienced in python), but could it be an error in unlock.py at "on_unlock_clicked" ? Does "-1:" really get the last two bytes of 'text' - and does password matching really work?

  if text[-1:] != "\n":
   text += "\n"```

[jsalatiel]

Same problem here. These are the last lines in auth.log Apr 29 06:25:26 Lenovo-G460 unix_chkpwd[18540]: check pass; user unknown Apr 29 06:25:33 Lenovo-G460 unix_chkpwd[18544]: check pass; user unknown Apr 29 06:25:33 Lenovo-G460 unix_chkpwd[18544]: password check failed for user (yan) Apr 29 06:25:33 Lenovo-G460 cinnamon-screensaver-pam-helper: pam_unix(cinnamon-screensaver:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost= user=yan Apr 29 06:25:35 Lenovo-G460 unix_chkpwd[18546]: check pass; user unknown Apr 29 06:26:08 Lenovo-G460 cinnamon-screensaver-pam-helper: pam_unix(cinnamon-screensaver:auth): conversation failed

[heemayl]

Bumped into this (unix_chkpwd: check pass; user unknown) today with cinnamon-screensaver version 2.2.4 after enabling ecryptfs for encrypting /home/<user>/.

The issue seems to be with the permission of /sbin/unix_chkpwd, where the cinnamon-screensaver process owner does not have sufficient privilege to perform necessary privileged operation with /sbin/unix_chkpwd needing EUID to be 0, regardless of the fact that it is world executable (read the source to find out the actual function asked). The default permission of /sbin/unix_chkpwd is -rwxr-sr-x with owner:group being root:shadow.

Hack for now:

Make the binary SUID-root:

chmod u+s /sbin/unix_chkpwd

Needless to say, this might bite you in the tail if the binary has any insecure code. Again, this should be a temporary workaround at most. And read the source.

[Yonn-Trimoreau]

@heemayl I love you

[clicktechnology]

@heemayl : That worked for me, screensaver unlocks now. Much appreciated.

Cinnamon 5.2.7 Linux 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Linux Mint 20.3 Una

[uranix]

Still present in

Cinnamon 5.8.4
cinnamon-screensaver 5.8.1
Linux 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
Debian GNU/Linux trixie/sid

The fix by @heemayl worked like a charm.