Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

i3lock needs its own /etc/pam.d/i3lock - fix or note this in readme #260

Closed
i3bot opened this issue Sep 5, 2010 · 6 comments
Closed

i3lock needs its own /etc/pam.d/i3lock - fix or note this in readme #260

i3bot opened this issue Sep 5, 2010 · 6 comments
Assignees
@stapelberg
Labels
3.e

Comments

@i3bot
Copy link

i3bot commented Sep 5, 2010

[Originally reported by Семён Марьясин <marsoft@…>]
(I have just compiled i3lock. It refuses to accept my password, as if I entered it incorrectly.

$ strace -f ./i3lock |& grep pam
open("/lib/libpam.so.0", O_RDONLY)      = 3
stat64("/etc/pam.d", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
open("/etc/pam.d/i3lock", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/etc/pam.d/other", O_RDONLY|O_LARGEFILE) = 3
read(3, "auth       required\tpam_deny.so\n"..., 1024) = 128
open("/lib/security/pam_deny.so", O_RDONLY) = 4

My /etc/pam.d/other:

auth       required pam_deny.so
account    required pam_deny.so
password   required pam_deny.so
session    required pam_deny.so

Now I made /etc/pam.d/i3lock with following contents:

auth include system-auth

(as in /etc/pam.d/xscreensaver). And it works fine.

BTW, alock rev94 uses /etc/pam.d/login, not /etc/pam.d/alock.

So please either make i3lock not to require /etc/pam.d/i3lock or mention this requirement in README.
@stapelberg
Copy link
Member

Thing is, on Debian (for example) you do not need to create an own /etc/pam.d/i3lock file. I don't know where the difference between the configuration on Debian and your distro is.

Can anyone enlighten me on this one?

@i3bot
Copy link
Author

i3bot commented Sep 5, 2010

[Original comment by Семён Марьясин <marsoft@…>]

What is in Debian's /etc/pam.d/other ?
Because in Gentoo it denies any authentication by default.

@stapelberg
Copy link
Member

In Debian, it is used as a fallback (like the name suggests):

#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron  specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used.  If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.

# We fall back to the system default in /etc/pam.d/common-*
#

@…
@…
@…
@…

I’m not sure what’s the upstream way of doing this.

@i3bot
Copy link
Author

i3bot commented Sep 5, 2010

[Original comment by Семён Марьясин <marsoft@…>]

Yes. So in Debian default is to use common-auth etc, and in Gentoo default is to deny anything.
So in Debian system tries to find rule for i3lock, fails and uses default (which is to use common-auth). And in Gentoo it does the same, but here default is to deny any authentication.

As I said before, alock (http://code.google.com/p/alock/) in PAM mode explicitly uses /etc/pam.d/login, which works fine on Gentoo (and, I think, on most other distros too). Although its behaviour is less flexible (one cannot use custom authentication scheme with it)..

So I think best way is to supply pam module /etc/pam.d/i3lock with i3lock.

@stapelberg
Copy link
Member

In revision fc6b72e, I added i3lock.pam which will be installed as /etc/pam.d/i3lock and just contains @….

Can you please check if that works for you correctly?

@stapelberg
Copy link
Member

Due to no response, I’ll just close this one as fixed. Reopen if you still have problems.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stapelberg stapelberg

Labels
3.e
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stapelberg @i3bot