Allow a distinct pam config file for greeter and for lock-screen

Bug #1305440 reported by Franck
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Unity
Fix Released
Medium
Andrea Azzarone
7.2
Fix Released
Medium
Andrea Azzarone
unity (Ubuntu)
Fix Released
Undecided
Andrea Azzarone
Trusty
Fix Released
Undecided
Unassigned
unity-greeter (Ubuntu)
Invalid
Undecided
Unassigned
Trusty
Invalid
Undecided
Unassigned

Bug Description

[Impact]

It might be desirable to have a distinct pam config file when logging in and when unlocking the screen. Specifically, using a fingerprint reader is fine for sudo or for unlocking, but you want to use your password when logging in, to provide a secret and be able to unlock the gnome-keyring for example.

[Test Case]

See http://askubuntu.com/questions/445131/how-do-i-enable-a-specific-pam-config-in-the-lockscreen

So this feature request is about allowing for a (optional) pam config file for the lock-screen, distinct from the /etc/pam.d/lightdm currently used and shared with the greeter.

[Regression Potential]

An additional configuration point could allow a system to be misconfigured for reduced security. The default configuration is to use the same PAM stack as the LightDM login process so no new regression is introduced without user modification.

[Other Info]

The Ubuntu 14.04 LTS SRU patch was cherry-picked from Ubuntu 14.10 where it has been in production use for a few months and appears stable.

Related branches

Stephen M. Webb (bregma)
Changed in unity:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Franck (alci) wrote :

As stated in the comment of the above mentioned Askubuntu question, the code already states that Unity should use its own pam files:

// FIXME (andy) We should install our own unityshell pam file.
  return pam_start("lightdm", username_.c_str(),
                   &conversation, &pam_handle_) == PAM_SUCCESS;

A trivial patch is to use a specific file name in this code: I used "lightdm-lockscreen", and it works just fine (tested with apt-get source unity + dpkg-buildpackage)

But this raises the question of the specs of this feature request:
- should the specific pam file for the lockscreen be mandatory, or should it fallback to the greeter pam config file ?
- if it is mandatory, what should be the defaults ?
- how to ensure a safe transition for existing installations ?

Revision history for this message
Franck (alci) wrote :

Trivial patch, probably more like a proof of concept, but works.

Revision history for this message
Franck (alci) wrote :

Trivial patch, probably more like a proof of concept, but works.

Revision history for this message
Gunnar Degnbol (gdegnbol) wrote :

I had the same problem with pam_blue Bluetooth authentication (homepage: https://bugs.launchpad.net/ubuntu/+source/libpam-blue/+bug/912695).

It works for me now, except I would like it to only work when the computer wakes from sleep. If I explicitly lock the screen, It unlocks immediately because my phone is nearby, but I have not found a way to tell the two situations apart.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

affects: unity-greeter → unity-greeter (Ubuntu)
Changed in unity-greeter (Ubuntu):
status: New → Confirmed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch to change pam config file from lightdm to lightdm-lockscreen" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Andrea Azzarone (azzar1)
Changed in unity:
assignee: nobody → Andrea Azzarone (andyrock)
Changed in unity-greeter (Ubuntu):
assignee: nobody → Andrea Azzarone (andyrock)
status: New → Invalid
Changed in unity (Ubuntu):
status: New → Confirmed
Changed in unity:
status: Triaged → In Progress
Changed in unity (Ubuntu):
status: Confirmed → In Progress
Andrea Azzarone (azzar1)
tags: added: lockscreen
Andrea Azzarone (azzar1)
Changed in unity:
milestone: none → 7.2.1
no longer affects: unity/7.3
Changed in unity:
milestone: 7.2.1 → 7.3.0
Changed in unity-greeter (Ubuntu):
assignee: Andrea Azzarone (andyrock) → nobody
Changed in unity (Ubuntu):
assignee: nobody → Andrea Azzarone (andyrock)
Stephen M. Webb (bregma)
Changed in unity:
milestone: 7.3.0 → 7.3.1
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity - 7.3.1+14.10.20140811-0ubuntu1

---------------
unity (7.3.1+14.10.20140811-0ubuntu1) utopic; urgency=medium

  [ Michal Hruby ]
  * Split out dconf schemas into separate package

  [ Brandon Schaefer ]
  * Make sure we check if the Quicklist or Alt+F1 key nav is open (so we
    can close them) Bore checking if something as a WM grab. As we cant
    open the hud is in Quicklist or KeyNav anymore. (LP: #1353167)

  [ Stephen M. Webb ]
  * Changed log message on failure to open xpathselect library from an
    error to a warning. The xpathselect library is used for
    introspection during automated test runs. It is not an error for
    this library to be unavailable in normal successful operating
    conditions. (LP: #1345296)

  [ Andrea Azzarone ]
  * Add an arrow activator in the lockscreen. (LP: #1332509)
  * Allow a distinct pam config file for greeter and for lock-screen.
    (LP: #1305440)

  [ Marco Trevisan (Treviño) ]
  * Autopilot, Switcher: use correct right/left scroll buttons for
    next/prev mouse selection (LP: #1353383)
  * UScreen, PanelService: get monitor at position, ignoring pre-
    multipled Gdk scale factor Get monitor position based on absolute
    coordinates, ignoring the pre-multipled scaling factor that Gdk
    applies to all the monitor sizes. In this way we get the proper
    monitor index for absolute coordinates, independently from the
    scaling factor. (LP: #1351591)
  * ApplicationLauncherIcon: make sure we close the dash if DnD is
    accepted And we're about to focus the application window(s) (LP:
    #1350331)
 -- Ubuntu daily release <email address hidden> Mon, 11 Aug 2014 12:31:11 +0000

Changed in unity (Ubuntu):
status: In Progress → Fix Released
Changed in unity:
status: In Progress → Fix Committed
Revision history for this message
Stephen M. Webb (bregma) wrote :

Attached debdiff between trusty-updates and SRU.

description: updated
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Franck, or anyone else affected,

Accepted unity into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/unity/7.2.4+14.04.20141217-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in unity (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed
tags: added: verification-done
Mathew Hodson (mhodson)
tags: removed: verification-needed
Changed in unity-greeter (Ubuntu Trusty):
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity - 7.2.4+14.04.20141217-0ubuntu1

---------------
unity (7.2.4+14.04.20141217-0ubuntu1) trusty; urgency=medium

  [ Andrea Azzarone ]
  * Share lockscreen password between screens (lp: #1308540)
  * Allow a distinct pam config file for greeter and for lock-screen.
    (lp: #1305440)
  * Add an arrow activator in the lockscreen. (lp: #1332509)
  * Make sure GetScreenGeometry returns the correct value (lp: #1374785).
  * unmapped all windows prior to shutdown (lp: #1370017) (lp: #1375271)

  [ Brandon Schaefer ]
  * fix tooltip for the "Show Desktop / Restore Windows" icon in the Alt-Tab
    switcher (lp: #1237132)
  * Use CONFIG instead of CACHE to store the first_run.stamp (lp: #1328677)

  [ Eleni Maria Stea ]
  * LayoutSystem: make sure the exposed open windows are displayed in the
    preserved order (lp: #1349281).

  [ handsome_feng ]
  * added support for getting the distro name from /etc/os-release
    (lp: #1329584)

  [ Iain Lane ]
  * When grabbing keys, try prefixing "XF86" if the key isn't found. GNOME
    gives us unprefixed keys sometimes (lp: #1302885).

  [ Marco Trevisan (Treviño) ]
  * make the Launcher icon count badge width depend on the text value width
    and scaling (lp: #1353070) (lp: #1354498) (lp: #796527) (lp: #1066971)
    (lp: #1361713)
  * DecoratedWindow: make edges independent from borders and properly update
    them on actions change (lp: #1276177), (lp: #1299741), (lp: #1301776),
    (lp: #1324104), (lp: #1364225), (lp: #1373695)
  * Lockscreen: scale the UI elements based on current monitor scaling
    (lp: #1292218)
  * UnityScreen: when filtering out windows in spread, make sure we unscale
    them (lp: #1316265).
  * PanelMenuView: ensure that proper window tiles and buttons are shown at
    the right place (lp: #1384910) (lp: #1384958) (lp: #1385285)
  * SearchBar, ActionButtons, IconRenderer: include the font scaling when
    scaling textual items (lp: #1332947) (lp: #1361751) (lp: #1362162)
    (lp: #1362346).
  * ApplicationLauncherIcon: make sure we close the dash if DnD is accepted
    and the application window is about to be focused (lp: #1350331).
  * SwitcherView: set progress on icon render args (lp: #1361679).
  * LockScreenController: wait for the primary shield to get the grab
    before setting the session locked (lp: #1368427) (lp: #1371764).
  * added decorations to windows in non-focused workspaces (lp: #1383468)

  [ Stephen M. Webb ]
  * updated the unity(1) manpage to match the actual command (lp: #1059275)
  * bumped package version to match upstream

  [ Marco Trevisan (Treviño) ]
  * Preparing for unity 7.2.4
 -- Ubuntu daily release <email address hidden> Wed, 17 Dec 2014 20:52:10 +0000

Changed in unity (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for unity has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Stephen M. Webb (bregma)
Changed in unity:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.