Page MenuHomePhabricator

lock broken in 0.22.2
Closed, ResolvedPublic

Description

After upgrading from 0.22.1 to 0.22.2 I am unable to unlock using my password. I keep getting an "invalid password" message.
After downgrading to 0.22.1 the problem was resolved.

mbert created this task.Mar 15 2018, 6:47 AM
roman added a subscriber: roman.Mar 18 2018, 10:54 AM

I can confirm this behavior
I have the same issue. I Upgraded from 22.1 + EFL 1.20.6 to E22.2 + 1.20.7.

  • Lock screen
  • type password
  • invalid password error

I tried the password in a different TTY even another keyboard, nothing worked.
Even tried this http://forums.bodhilinux.com/index.php?/topic/9772-enlightenment-lock-screen-password/ referring to this https://forums.freebsd.org/threads/enlightenment-screen-lock-password.38385/
which also didn't work.

Finally only reverting to 22.1 with EFL 1.20.6 helped.

I'm on Debian 9 x64

I can confirm 3c4e25360eb65d0bc9dbfbc2d697898d5b42280d is the issue, as a really hacky workaround you can ssh in from another machine if you have one and kill the enlightenment process.

simotek added a subscriber: raster.Mar 19 2018, 8:34 PM

its the exact same patch as in master, but it works (for me) in git master. at least on arch it does.

ok. found out why - you're missing libpam dev/devel pkgs. e's build auto-enables pam if found, otherwise disables.

note - i think the code change here is that without pam enabled auth ALWAYS FAILS. before i think it ALWAYS SUCCEEDED irrespective of passwd if u were missing pam support

so basically issue is a long standing one that pam is optional and auto-detected on linux. you can't use system passwords without pam support.

mbert added a comment.Mar 20 2018, 3:09 AM

ok. found out why - you're missing libpam dev/devel pkgs. e's build auto-enables pam if found, otherwise disables.

... i.e. de facto libpam-devel is a build dependency? Then the build should fail without.

note - i think the code change here is that without pam enabled auth ALWAYS FAILS. before i think it ALWAYS SUCCEEDED irrespective of passwd if u were missing pam support

No, I am now using 0.22.1 again, built on the same box. Lock/unlock works as expected.

have you tried it with an incorrect password?

mbert added a comment.Mar 20 2018, 3:14 AM

have you tried it with an incorrect password?

Yes, of course.

also the pam requirement has been there for basically ever (like a decade)... it never was enforced. there is no way to auth at all without pam on linux. free and open bsd had special paths with a setuid checker we had. your password you fell into the trap.

mbert added a comment.Mar 20 2018, 3:19 AM
In T6779#112121, @mbert wrote:

No, I am now using 0.22.1 again, built on the same box. Lock/unlock works as expected.

Actually, on second thought, this might not be true. I got a new box some weeks ago, that must have been after I had built 0.22.1, so you may be right here.

also the pam requirement has been there for basically ever (like a decade)... it never was enforced. there is no way to auth at all without pam on linux. free and open bsd had special paths with a setuid checker we had. your password you fell into the trap.

If this is the case, it should IMO be enforced, because something breaks without it.

in fact i reverted my changes and i get a dialog "no pam support in e"... so i cannot see how you could have built without pam support and gotten to the dialog. so it must have been compile in.. or there seems to be a hold for freebsd i think in that dialog

If this is the case, it should IMO be enforced, because something breaks without it.

i have added an enforcement in the meson build now in git master. i also added more checks for pam

you may have used a personal password though? i have been speaking of the system/user password. personal is insecure (stored in e's config files ... if you dig you'll find it in plain text there somewhere, so it's not highly secure as your password is then written down in a file owned by you and readable etc.

mbert added a comment.EditedMar 20 2018, 3:34 AM

I was using my system password. Actually I've just rerun the build of 0.22.2 and went through the build log. On my box pam-devel is and was installed (and found by e's configure, and library linked). At the moment I cannot reinstall e (I may at the end of this week) to try again, but I don't really expect anything new.

Hence the problem may not yet be solved.

well i installed an ubuntu vm to test on another distro and it was a lack of libpam0g-dev and no HAVE_PAM defined as a result that was the root cause. adding the pam dev pkg fixed the issue instantly after a rebuild. so i backtracked and patched that hole in various ways.

mbert added a comment.Mar 20 2018, 3:39 AM

OK, so I'll wait for the next minor release and check again.

I have this "invalid password" behavior on Ubuntu 17.10 with libpam-0g-dev installed and using my system password. No problem logging into Enlightenment initially, but after a no-activity timeout I can not log on.

In my 22.2 config.h file:
/* PAM Authentication Support */
#define HAVE_PAM 1

Reverting to 22.1 resolved the issue. Fwiw, I am using EFL 1.20.7.

Hi,

just wanted to add:

I build the Debian packages for 0.22.2 on a system with libpam and libpam dev packages installed

libpam0g/stable,now 1.1.8-3.6 amd64  [installiert]
  Bibliothek für Pluggable Authentication Modules

libpam0g-dev/stable,now 1.1.8-3.6 amd64  [installiert]
  Entwicklungsdateien für PAM

same system where I build 0.22.1, where everything works as expected, as mbert pointed out.
The configure part containing "pam" looks like this:

checking for fnmatch... yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking CFBase.h usability... no

the target system where I checked also has libpam installed:

libpam-sss/stable 1.15.0-3 amd64
libpam-systemd/stable,now 232-25+deb9u2 amd64  [installiert]
libpam-tacplus/stable 1.3.8-2 amd64
libpam-tmpdir/stable 0.09+b2 amd64
libpam-u2f/stable 1.0.4-2 amd64
libpam-ufpidentity/stable 1.0-1 amd64
libpam-winbind/stable 2:4.5.12+dfsg-2+deb9u2 amd64
libpam-wrapper/stable 1.0.2-1 amd64
libpam-yubico/stable 2.23-1 amd64
libpam0g/stable,now 1.1.8-3.6 amd64  [installiert]
libpam0g-dev/stable 1.1.8-3.6 amd64
libpam4j-java/stable,stable 1.4-2+deb9u1 all
libpam4j-java-doc/stable,stable 1.4-2+deb9u1 all

The lock screen prefs are set to "Use System Authentication" (See attached Image no.1)

When I try to unlock with a bad password in 0.22.1 I get a "Wrong password" message as expected (see attached image no.2) and the proper password unlocks the screen as it should

So to me it seems like it works as it should in 0.22.1 and in 0.22.2 it does not.
Sorry for the long post, hope the infos help somehow.

pespin added a subscriber: pespin.EditedMar 20 2018, 4:05 PM

I can confirm this bug appearing when updating to 0.22.2 in Archlinux today using official repository "extra". I am almost sure I updated from 0.22.1 and it was working earlier today, so indeed it seems the breakage occurred during this update (not sure if efl got updated too, I think it did).

ok. found out why - you're missing libpam dev/devel pkgs. e's build auto-enables pam if found, otherwise disables.

note - i think the code change here is that without pam enabled auth ALWAYS FAILS. before i think it ALWAYS SUCCEEDED irrespective of passwd if u were missing pam support

so basically issue is a long standing one that pam is optional and auto-detected on linux. you can't use system passwords without pam support.

I don't think this is the issue, or the main one anyway, from the build log from the machines I was having issues with.

[ 102s] checking security/pam_appl.h usability... yes
[ 102s] checking security/pam_appl.h presence... yes
[ 102s] checking for security/pam_appl.h... yes

It seems that PAM is such a fundamental part of openSUSE it gets included in every build, the only thing I can think of is maybe your using a pam module I don't have installed.

i set up an ubuntu vm and it works for me once libpam0g-dev was installed before a build. before that it did fail. if u move the pam header file we check for out of the way so it's not found on arch linux the same thing happens.

otherwise on both arch and on ubuntu it works. on git master and on 0.22 stable branch. i can't reproduce the issue on either OS. if pam is found and enabled. after patches in git master even without it'll not lock without being able to unlock.

if it isn't working try:

echo "mypassword" | /usr/local/lib/enlightenment/utils/enlightenment_ckpasswd

change the path to ckpasswd depending on your install. if it prints nothing then it authed your password (replace mypassword with your password). if it complains that auth failed then it didn't.

@raster it doesn't look like enlightenment_ckpasswd is built on e22 with autotools builds, autotools is still the default / main supported build system in the e22 branch.

simotek reassigned this task from zmike to raster.Mar 21 2018, 12:21 AM
simotek reopened this task as Open.

oooh its an autotools thing. so the patch wasn't merged "properly". it didnt ensure it was built in the existing autotools build (autotools is gone in git). that can be fixed. i was using the meson build btw.