Bug 606845 - attempts to authenticate on cancel or dialog timeout
attempts to authenticate on cancel or dialog timeout
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gnome-screensaver (Show other bugs)
5.7
All Linux
urgent Severity high
: rc
: ---
Assigned To: Ray Strode [halfline]
Desktop QE
: ZStream
Depends On:
Blocks: 807971 644823
  Show dependency treegraph
 
Reported: 2010-06-22 11:38 EDT by Jeremy West
Modified: 2016-04-26 12:03 EDT (History)
8 users (show)

See Also:
Fixed In Version: 2.16.1-9.el5
Doc Type: Bug Fix
Doc Text:
When unlocking the screen, clicking the "Cancel" button may have caused the following message to appear in the /var/log/secure log: gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): auth could not identify password for [user] This was due to authentication dialog attempting to log in, even though no such action was requested. With this update, this error has been fixed, and clicking "Cancel" no longer attempts to authenticate a user.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-03 12:55:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (2.71 KB, patch)
2010-07-20 04:18 EDT, Olivier Fourdan
no flags Details | Diff
proof of concept patch (3.11 KB, patch)
2010-08-25 17:44 EDT, jmccann
no flags Details | Diff

  None (edit)
Description Jeremy West 2010-06-22 11:38:56 EDT
Description of problem:
gnome-screensaver will attempt to authenticate even if the user hits cancel. For clients using login restrictions this causes problems such as account lockout

Version-Release number of selected component (if applicable):
2.16.x

How reproducible:
100%

Steps to Reproduce:
1. Lock with gnome-screensaver
2. Move mouse to bring up unlock dialog
3. hit cancel

rinse & repeat
  
Actual results:
/var/log/secure shows
gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): auth could not identify password for [tom]

Expected results:
Authentication should not happen if user hits cancel

Additional info:
Comment 4 Olivier Fourdan 2010-07-20 04:18:36 EDT
Created attachment 433096 [details]
Proposed patch

I believe the issue is a race conditon when the gnome-screensaver-dialog terminates without a password being provided.

The issue is fairly random, but further testing show that gnome-screensaver-2.16 as well as gnome-screensaver-2.18 have that problem while gnome-screensaver-2.20 does not.

A bit of bisection gave the following patch, which has been tested locally (by checking for an authentication error in /var/log/secure when cancel is pressed in the dialog).

A test package containing this patch has been passed to our customer who confirmed that the patch works in their environment as well.
Comment 7 Ray Strode [halfline] 2010-08-24 21:48:47 EDT
Jon and I have been looking into this bug recently.

It doesn't appear that attachment 433096 [details] is right.  We already send a SIGTERM (via the raise() syscall) when the user clicks cancel.

gnome-screensaver has two different threads. One thread is the main gui thread and the other thread is a helper thread for processing the blocking pam conversation.

The current thoery is that the raise(SIGTERM) is essentially randomly going to one of the threads.  One time it may go to the main thread, another time it may go to the helper thread.

If it goes to the helper thread then everything will die right away leaving no failed entry in syslog.

If it goes to the main thread then the helper thread will get EINTR and that failure will cause the entry to be posted.

This is just a summary of the current findings, we're still actively looking for the "right" fix for this problem.
Comment 8 jmccann 2010-08-25 17:44:09 EDT
Created attachment 441059 [details]
proof of concept patch

Can you try this patch out and see if it solves your problem?  Thanks.
Comment 16 Jaromir Hradilek 2010-11-04 10:22:25 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When unlocking the screen, clicking the "Cancel" button may have caused the following message to appear in the /var/log/secure log:

  gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): auth could not identify password for [user]

This was due to authentication dialog attempting to log in, even though no such action was requested. With this update, this error has been fixed, and clicking "Cancel" no longer attempts to authenticate a user.

Note You need to log in before you can comment on or make changes to this bug.