/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

i3 lock screen accepts any password #2734

Open
andrewdavidwong opened this Issue Mar 30, 2017 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.2 updates
2 participants
@andrewdavidwong @jpouellet
@andrewdavidwong
Member

andrewdavidwong commented Mar 30, 2017

On 2017-03-30 04:06, tom.b wrote:

Both the xscreensaver and the i3lock accept any password.
I have not manually changed the files in /etc/pam.d/ but note some have
the "nullok" option.

I've run tail -f against /var/log/* and /var/log// but no changes
occur after locking and unlocking the screen.

Expected behaviour: the user login password should be required before
the screen unlocks.

(this install was upgraded to 3.2 from 3.1 which was upgraded from 3.0).

window manager = i3

@andrewdavidwong andrewdavidwong added bug C: other help wanted P: major security labels Mar 30, 2017

@andrewdavidwong andrewdavidwong added this to the Release 3.2 updates milestone Mar 30, 2017

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 30, 2017

Member

Can any other i3 users reproduce this?
Member

andrewdavidwong commented Mar 30, 2017

Can any other i3 users reproduce this?
@jpouellet

This comment has been minimized.

Show comment
Hide comment
@jpouellet

jpouellet Mar 31, 2017

Contributor

Unable to reproduce with i3lock-2.7-1 on R3.2 (not upgraded from previous).

During lock & unlock using i3lock:

[user@dom0 ~]$ journalctl -xf
Mar 31 12:15:03 dom0 audit[23703]: USER_AUTH pid=23703 uid=1000 auid=1000 ses=1 msg='op=PAM:unix_chkpwd acct="user" exe="/usr/sbin/unix_chkpwd" hostname=? addr=? terminal=? res=success'
Mar 31 12:15:03 dom0 kernel: audit: type=1100 audit(1490976903.018:1564): pid=23703 uid=1000 auid=1000 ses=1 msg='op=PAM:unix_chkpwd acct="user" exe="/usr/sbin/unix_chkpwd" hostname=? addr=? terminal=? res=success'

[user@dom0 ~]$ grep -r nullok /etc/pam.d
/etc/pam.d/password-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/password-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
/etc/pam.d/system-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
/etc/pam.d/xscreensaver:# auth     required       pam_unix2.so	nullok
/etc/pam.d/xscreensaver:# auth       required	/lib/security/pam_pwdb.so shadow nullok
Contributor

jpouellet commented Mar 31, 2017

Unable to reproduce with i3lock-2.7-1 on R3.2 (not upgraded from previous).

During lock & unlock using i3lock:

[user@dom0 ~]$ journalctl -xf
Mar 31 12:15:03 dom0 audit[23703]: USER_AUTH pid=23703 uid=1000 auid=1000 ses=1 msg='op=PAM:unix_chkpwd acct="user" exe="/usr/sbin/unix_chkpwd" hostname=? addr=? terminal=? res=success'
Mar 31 12:15:03 dom0 kernel: audit: type=1100 audit(1490976903.018:1564): pid=23703 uid=1000 auid=1000 ses=1 msg='op=PAM:unix_chkpwd acct="user" exe="/usr/sbin/unix_chkpwd" hostname=? addr=? terminal=? res=success'

[user@dom0 ~]$ grep -r nullok /etc/pam.d
/etc/pam.d/password-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/password-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
/etc/pam.d/system-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
/etc/pam.d/system-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
/etc/pam.d/xscreensaver:# auth     required       pam_unix2.so	nullok
/etc/pam.d/xscreensaver:# auth       required	/lib/security/pam_pwdb.so shadow nullok
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment