Bug 458540

Summary:	Keyboard layout indicator is missing with certain distro setups
Product:	[Plasma] plasmashell	Reporter:	Oleg Solovyov <mcpain>
Component:	Screen locking	Assignee:	Plasma Bugs List <plasma-bugs-null>
Status:	CONFIRMED ---
Severity:	normal	CC:	bshah, kde, nate, vlad.zahorodnii, zerg
Priority:	NOR	Keywords:	regression
Version First Reported In:	5.25.4
Target Milestone:	1.0
Platform:	Other
OS:	Linux
Latest Commit:		Version Fixed In:
Sentry Crash Report:

Description Oleg Solovyov 2022-08-31 10:32:00 UTC

After locking screen, keyboard layout indicator is not shown.

Bisecting blames 
1189112 Port away from KWayland::Server

Comment 1 Nate Graham 2022-08-31 20:18:00 UTC

Works for me with current git master, as long as I have configured more than one keyboard layout. With only one layout, it's hidden as expected.

What repo is that commit in?

Comment 2 Oleg Solovyov 2022-09-01 06:55:14 UTC

(In reply to Nate Graham from comment #1)
> Works for me with current git master, as long as I have configured more than
> one keyboard layout. With only one layout, it's hidden as expected.
> 
> What repo is that commit in?

kscreenlocker

Comment 3 Oleg Solovyov 2022-09-01 07:12:03 UTC

Additional info:
# l /usr/libexec/kf5/kscreenlocker_greet
-rwx--s--x 1 root chkpwd 158056 авг 31 18:01 /usr/libexec/kf5/kscreenlocker_greet

Our distro uses tcb with users have their own /etc/tcb/<user>/shadow

As of consequence, password checker has to be in chkpwd group with sgid bit set.
Before throwing out kcheckpass, it worked.
After, kscreenlocker_greet should have sgid to successfully unlock session but it breaks keyboard layouts shown.

Comment 4 Nate Graham 2022-09-01 14:23:37 UTC

Thanks for the info. Vlad, could you take a look?

Comment 5 Oleg Solovyov 2022-09-07 09:21:23 UTC

(In reply to Nate Graham from comment #4)
> Thanks for the info. Vlad, could you take a look?

I don't think it's an upstream problem but still I would appreciate any help on restoring kcheckpass in any way.
Or moving from Plasma 5.24 to 5.25 would be blocked in our stable products.

Just restoring files from 5.24.6 works but it's not fine - authentificator interface has changed since and plasma-workspace needs patching as well.

Comment 6 David Edmundson 2022-09-07 15:17:34 UTC

>Our distro uses tcb with users have their own /etc/tcb/<user>/shadow
>As of consequence, password checker has to be in chkpwd group with sgid bit set.

Are you sure? 

Looking at TCB code (support.c) it has an explicit path for when we're not running as root.

```
		if (uid == geteuid() && uid == pw->pw_uid && uid != 0) {
			/* We are not root perhaps this is the reason? */
			D(("running helper binary"));
			retval = unix_run_helper_binary(user, pass);
```

Which from the make file seems to invoke $(LIBEXECDIR)/chkpwd/tcb_chkpwd

That matches 1:1 how pam_unix works in this situation and why I ported away from kcheckpass as a helper binary, as good pam modules provide their own helper binary implementation anyway and we were just duplicating that.

If this is not working correctly that would lean towards a TCB bug or a setup issue.
I can provide a simpler pam test case that runs as a regular user if that's useful in diagnosing the issue.

Comment 7 Oleg Solovyov 2022-09-07 15:55:41 UTC

(In reply to David Edmundson from comment #6)
> >Our distro uses tcb with users have their own /etc/tcb/<user>/shadow
> >As of consequence, password checker has to be in chkpwd group with sgid bit set.
> 
> Are you sure? 
> 
> Looking at TCB code (support.c) it has an explicit path for when we're not
> running as root.
> 
> ```
> 		if (uid == geteuid() && uid == pw->pw_uid && uid != 0) {
> 			/* We are not root perhaps this is the reason? */
> 			D(("running helper binary"));
> 			retval = unix_run_helper_binary(user, pass);
> ```
> 
> Which from the make file seems to invoke $(LIBEXECDIR)/chkpwd/tcb_chkpwd
> 

Yes. Can't prove why but I tested with sgid bit removed and I can't unlock my session.
That's why kcheckpass had attrs:
-rwx--s--x 1 root chkpwd [...] /usr/libexec/kf5/kcheckpass

Now same attrs should be on kscreenlocker_greet:
-rwx--s--x 1 root chkpwd 149864 авг 26 17:18 /usr/libexec/kf5/kscreenlocker_greet

I don't think it's a good idea to give sgid to the whole greeter instead of kcheckpass which is small and written w/o Qt

Also:
#l /usr/lib/chkpwd/
итого 16
drwxr-xr-x 1 root root   20362 сен  5 10:39 ../
drwx--x--- 1 root chkpwd    20 фев 17  2022 ./
-rwx--s--x 2 root shadow 14528 авг 24  2021 tcb_chkpwd

Comment 8 David Edmundson 2022-09-07 17:03:42 UTC

>I don't think it's a good idea to give sgid to the whole greeter

Me neither.  I don't want anyone doing that.

With pam_unix we definitely don't need to, the code for tcb heavily heavily implies we don't need to. 
Clearly something is wrong there that needs fixing. Either tcb has a bug or there's some extra setup step that's not clear.

Lets disable that bit again get some debug from the tcb pam backend and go from there.

Comment 9 Oleg Solovyov 2022-09-08 07:19:36 UTC

(In reply to David Edmundson from comment #8)
> >I don't think it's a good idea to give sgid to the whole greeter
> 
> Me neither.  I don't want anyone doing that.
> 
> Lets disable that bit again get some debug from the tcb pam backend and go
> from there.

$ /usr/lib/chkpwd/tcb_chkpwd
bash: /usr/lib/chkpwd/tcb_chkpwd: Отказано в доступе
we simply get EACCES when invoking helper without proper permissions

# chmod o+x /usr/lib/chkpwd/
# chmod g-s /usr/libexec/kf5/kscreenlocker_greet
$ /usr/lib/chkpwd/tcb_chkpwd
$ 

/usr/lib/chkpwd/ does not have o+x bit:
# l -d /usr/lib/chkpwd/
drwx--x--- 1 root chkpwd 20 фев 17  2022 /usr/lib/chkpwd/

It prevents /usr/lib/chkpwd/* to execute even if they have o+x bits.
And it seems to be intentional

tcb/progs/Makefile:
install: install-common
        install -d -o root -g chkpwd -m 710 $(DESTDIR)$(LIBEXECDIR)/chkpwd
        install -m 2711 -o root -g shadow $(CHKPWD) \
                $(DESTDIR)$(LIBEXECDIR)/chkpwd/

Comment 10 Oleg Solovyov 2022-09-08 07:22:05 UTC

install-non-root: install-common
        install -d -m 710 $(DESTDIR)$(LIBEXECDIR)/chkpwd
        install -m 700 $(CHKPWD) $(DESTDIR)$(LIBEXECDIR)/chkpwd/

Same: no o+x bits

Comment 11 Bug Janitor Service 2022-09-23 04:48:39 UTC

Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!

Comment 12 Bug Janitor Service 2022-10-08 04:53:59 UTC

This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!

Comment 13 Oleg Solovyov 2024-08-16 11:58:20 UTC

The situation gone significantly worse after moving onto Plasma 6

Comment 14 Oleg Solovyov 2024-08-16 11:59:11 UTC

(In reply to Oleg Solovyov from comment #13)
> The situation gone significantly worse after moving onto Plasma 6

I am unable yet to restore kcheckpass without breaking anything.