search

mate-desktop / mate-screensaver

MATE screen saver and locker
https://mate-desktop.org
GNU General Public License v2.0
48 stars 40 forks source link

Option --with-passwd-helper and --enable-authentication-scheme broken on FreeBSD. #272

Closed ericbsd closed 2 years ago

ericbsd commented 2 years ago

Actual behaviour

After upgrading to 1.26.1 option --enable-authentication-scheme=helper and --with-passwd-helper=/usr/local/bin/pam_helper cause the screen lock authentication prompt does not appear, and I need to kill mate-screensaver.

Everything points to PR #178 made by @wolneykien. After reverting changes in src/gs-auth-helper.c, the authentication prompt is back, and it is working

Expected behavior

When installing mate-screensaver with --enable-authentication-scheme=helper and --with-passwd-helper=/usr/local/bin/pam_helper option it authenfication should show up and work.

Steps to reproduce the behavior

On FreeBSD, with all the dependencies installed

sh autogen.sh --with-console-kit=yes --with-systemd=no --enable-authentication-scheme=helper --with-passwd-helper=/usr/local/bin/pam_helper
gmake
sudo gmake install.

MATE general version

1.26.0

Package version

1.26.1

Linux Distribution

FreeBSD 13.0 and 12.3

wolneykien commented 2 years ago

Hi! I see, you are trying to use a custom helper: /usr/local/bin/pam_helper instead of /usr/libexec/mate-screensaver/mate-screensaver-pam-helper. Is that critical for you?

ericbsd commented 2 years ago

It is critical for FreeBSD. mate-screensaver-pam-helper does not work for us. I got told that #include <security/_pam_macros.h> is a Linux thing, and to To compile it on FreeBSD, we had to remove that to compile it on FreeBSD, but the screen lock authentication prompt does not appear. So far, pam_helper is the only way to have the option to use a custom helper.

For FreeBSD, I reverted the changes made to src/gs-auth-helper.c to have --with-passwd-helper=/usr/local/bin/pam_helper working.

wolneykien commented 2 years ago

So far, pam_helper is the only way to have the option to use a custom helper.

OK. Can we upgrade FreeBSD helper to be compatible with helper/helper_proto.c? Can I take a look on it?

wolneykien commented 2 years ago

I got told that #include <security/_pam_macros.h> is a Linux thing, and to To compile it on FreeBSD, we had to remove that to compile it on FreeBSD

Try to use:

sh autogen.sh --with-console-kit=yes --with-systemd=no --with-passwd-helper=/usr/local/bin/pam_helper --enable-authentication-scheme=helper

i.e. place --enable-authentication-scheme=helper after --with-passwd-helper=.... I hope that in that case BUILTIN_HELPER would not be defined by configure and it skips compilation of all under helper/.

ericbsd commented 2 years ago

So far, pam_helper is the only way to have the option to use a custom helper.

OK. Can we upgrade FreeBSD helper to be compatible with helper/helper_proto.c? Can I take a look on it?

I am not familiar with PAM and helper. Maybe @cschuber would no more about that.

ericbsd commented 2 years ago

I got told that #include <security/_pam_macros.h> is a Linux thing, and to To compile it on FreeBSD, we had to remove that to compile it on FreeBSD

Try to use:

sh autogen.sh --with-console-kit=yes --with-systemd=no --with-passwd-helper=/usr/local/bin/pam_helper --enable-authentication-scheme=helper

i.e. place --enable-authentication-scheme=helper after --with-passwd-helper=.... I hope that in that case BUILTIN_HELPER would not be defined by configure and it skips compilation of all under helper/.

It does the same behavior then sh autogen.sh --with-console-kit=yes --with-systemd=no --enable-authentication-scheme=helper --with-passwd-helper=/usr/local/bin/pam_helper.

wolneykien commented 2 years ago

OK. Can we upgrade FreeBSD helper to be compatible with helper/helper_proto.c? Can I take a look on it?

I am not familiar with PAM and helper. Maybe @cschuber would no more about that.

Where /usr/local/bin/pam_helper comes from? Can you point out its sources?

wolneykien commented 2 years ago

i.e. place --enable-authentication-scheme=helper after --with-passwd-helper=.... I hope that in that case BUILTIN_HELPER would not be defined by configure and it skips compilation of all under helper/.

It does the same behavior then sh autogen.sh --with-console-kit=yes --with-systemd=no --enable-authentication-scheme=helper --with-passwd-helper=/usr/local/bin/pam_helper.

Then, it's a possible bug in configure.ac. I'll try to fix that.

ericbsd commented 2 years ago

OK. Can we upgrade FreeBSD helper to be compatible with helper/helper_proto.c? Can I take a look on it?

I am not familiar with PAM and helper. Maybe @cschuber would no more about that.

Where /usr/local/bin/pam_helper comes from? Can you point out its sources?

It is packages built from https://www.marcuscom.com/pam_helper/.

I think Marcus was maintaining that for Gnome, MATE, and XFCE screensaver.

ericbsd commented 2 years ago

i.e. place --enable-authentication-scheme=helper after --with-passwd-helper=.... I hope that in that case BUILTIN_HELPER would not be defined by configure and it skips compilation of all under helper/.

It does the same behavior then sh autogen.sh --with-console-kit=yes --with-systemd=no --enable-authentication-scheme=helper --with-passwd-helper=/usr/local/bin/pam_helper.

Then, it's a possible bug in configure.ac. I'll try to fix that.

I am not sure if that is the problem. I reverted the changes in src/gs-auth-helper.c it fixed our problem.

See https://github.com/freebsd/freebsd-ports/blob/main/x11/mate-screensaver/files/patch-src_gs-auth-helper.c

wolneykien commented 2 years ago

I am not sure if that is the problem. I reverted the changes in src/gs-auth-helper.c it fixed our problem.

See https://github.com/freebsd/freebsd-ports/blob/main/x11/mate-screensaver/files/patch-src_gs-auth-helper.c

Is it OK to maintain a modified copy of mate-screensaver (with reverted helper patch) in FreeBSD? It shouldn't be hard to upgrade the Marcus's helper to helper/helper_proto.c — I'll take a look on it tomorrow. Or, it's also possible to make the default helper (under helper/) work on FreeBSD, I think.

wolneykien commented 2 years ago

Here is the modified version of your helper: https://github.com/wolneykien/bsd-pam-helper I've tested it (on Linux, though) and it works.

wolneykien commented 2 years ago

Also, I would be glad to fix compilation of the builtin helper/ on FreeBSD. What exact distribution do you use?

wolneykien commented 2 years ago

i.e. place --enable-authentication-scheme=helper after --with-passwd-helper=.... I hope that in that case BUILTIN_HELPER would not be defined by configure and it skips compilation of all under helper/.

It does the same behavior then sh autogen.sh --with-console-kit=yes --with-systemd=no --enable-authentication-scheme=helper --with-passwd-helper=/usr/local/bin/pam_helper.

Then, it's a possible bug in configure.ac. I'll try to fix that.

Here is the fix: https://github.com/wolneykien/mate-screensaver/commit/5800e2cbee435e87f9f1f85f373b3cb00ed43fb2 With that patch mate-screensaver should build fine with --enable-authentication-scheme=helper --with-passwd-helper=/usr/local/bin/pam_helper options (in any order) without the need to revert the main helper/ patch. The updated version of pam_helepr.c (see above) should be used with it.

ericbsd commented 2 years ago

Here is the modified version of your helper: https://github.com/wolneykien/bsd-pam-helper I've tested it (on Linux, though) and it works.

I will test that as soon as possible.

ericbsd commented 2 years ago

Also, I would be glad to fix compilation of the builtin helper/ on FreeBSD. What exact distribution do you use?

I am the founder of the GhostBSD project so I run exclusively GhostBSD, it is basically FreeBSD with MATE. I am also a FreeBSD ports committer. I try to maintain MATE packages for FreeBSD and GhostBSD. You can see GhostBSD.org

ericbsd commented 2 years ago

i.e. place --enable-authentication-scheme=helper after --with-passwd-helper=.... I hope that in that case BUILTIN_HELPER would not be defined by configure and it skips compilation of all under helper/.

It does the same behavior then sh autogen.sh --with-console-kit=yes --with-systemd=no --enable-authentication-scheme=helper --with-passwd-helper=/usr/local/bin/pam_helper.

Then, it's a possible bug in configure.ac. I'll try to fix that.

Here is the fix: wolneykien@5800e2c With that patch mate-screensaver should build fine with --enable-authentication-scheme=helper --with-passwd-helper=/usr/local/bin/pam_helper options (in any order) without the need to revert the main helper/ patch. The updated version of pam_helepr.c (see above) should be used with it.

With the old pam_helper, it does not work so I will try your bsd-pam-helper.

ericbsd commented 2 years ago

I got some problem compiling bsd-pam-helper see https://github.com/wolneykien/bsd-pam-helper/issues/1.

ericbsd commented 2 years ago

I was able to fix the complying issues I made a PR https://github.com/wolneykien/bsd-pam-helper/pull/2. I can confirm that with your fix in wolneykien@5800e2c and bsd-pam-helper everything works perfectly.

Thanks for the help.

I will make a new patch to the port until your fix gets in MATE we get a new release of mate-screensaver.

I might have to create a new port for bsd-pam-helper unless it works fine with xfce screensaver.

ericbsd commented 2 years ago

I created mate-pam-helper under GhostBSD GitHub project with wolneykien/bsd-pam-helper code and some patches of mine. It is working. The reason I did that is that pam_helper is used for XFCE too and the new one is not working for XFCE. Until I figure out why I will have to have the file called mate_pam_helper.

wolneykien commented 2 years ago

The new helper uses the new "prompt-reply" protocol. If BSD will continue to use suid helpers for PAM (in Linux we now have the alternative solution based on special user group and setgid for the dialog program), then it's reasonable to patch xfce-screensaver too, make it support the same "prompt-reply" protocol.