Bug 486294

Summary:	Better PAM recommendations to distributions (no nologin).
Product:	[Plasma] plasmashell	Reporter:	Gabriel Barros <descartavel1>
Component:	Screen locking	Assignee:	Plasma Bugs List <plasma-bugs-null>
Status:	RESOLVED FIXED
Severity:	task	CC:	arojas, fabian, nate
Priority:	NOR
Version First Reported In:	6.2.4
Target Milestone:	1.0
Platform:	Compiled Sources
OS:	Linux
Latest Commit:		Version Fixed/Implemented In:
Sentry Crash Report:

Description Gabriel Barros 2024-04-29 12:57:12 UTC

following recommendations on https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/163 my distro adopted these files[0] in place of what was being shipped before[1].

One downside of the recommendation is that *unlocking* the desktop is now prevented if there's a shutdown scheduled (or other reason to have the `nologin` file present). because of the line `auth requisite pam_nologin.so`.

It is very frustrating if you get a notification on your lock screen about the system going down in 5min and all you can do is nervously wait to lose your work.

Are there good reasons to have the auth nologin module there? Can we recommend without it? Should we have sample files in this upstream distribution and avoid the communication issues? most packages i've seen just added the recommended text to their packaging script, and now you don't know if they are following upstream or not. Specially now that we cannot build without PAM? (https://bugs.kde.org/show_bug.cgi?id=455303)

--

[0] https://gitlab.archlinux.org/archlinux/packaging/packages/kscreenlocker/-/commit/7fd674f638497ba84e788118d3bbc524691974f0#6d3349510821738885fce1ed921375cb34e361f1

--

[1] https://wiki.archlinux.org/index.php?title=SDDM&oldid=805510#Using_a_fingerprint_reader

```
#/etc/pam.d/kde
auth 			sufficient  	pam_unix.so try_first_pass likeauth nullok
auth 			sufficient  	pam_fprintd.so
```

Comment 1 Gabriel Barros 2024-04-30 14:17:35 UTC Comment hidden (spam)

further (not sure if better to open another ticket?), leaving the ksettings open on the firewall screen (showing "disabled". no action was taken). CPU was stuck at 99% usage by the process.

$ systemsettings
Using fontconfig file: "/home/user/.config/fontconfig/fonts.conf"

(clicking connections)
qrc:/qt/qml/org/kde/kcmutils/SimpleKCM.qml:94: ReferenceError: footerParent is not defined
qrc:/qt/qml/org/kde/systemsettings/CategoryItem.qml:33:13: Unable to assign IconPropertiesGroup_QMLTYPE_28 to IconPropertiesGroup_QMLTYPE_28
qrc:/qt/qml/org/kde/systemsettings/CategoryItem.qml:33:13: Unable to assign IconPropertiesGroup_QMLTYPE_28 to IconPropertiesGroup_QMLTYPE_28
qrc:/qt/qml/org/kde/systemsettings/CategoryItem.qml:33:13: Unable to assign IconPropertiesGroup_QMLTYPE_28 to IconPropertiesGroup_QMLTYPE_28
qrc:/qt/qml/org/kde/systemsettings/CategoryItem.qml:33:13: Unable to assign IconPropertiesGroup_QMLTYPE_28 to IconPropertiesGroup_QMLTYPE_28
qml: Page SubCategoryPage_QMLTYPE_111(0x618902039f00) is already in the PageRow
qml: Pushed pages do not conform to the rules. Please check the documentation.
qml: push (file:///usr/lib/qt6/qml/org/kde/kirigami/PageRow.qml:223)
onActiveSubCategoryRowChanged (qrc:/qt/qml/org/kde/systemsettings/SubCategoryPage.qml:175)
expression for onClicked (qrc:/qt/qml/org/kde/systemsettings/CategoriesPage.qml:192)
kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"

(clicking firewall)
qrc:/qt/qml/org/kde/kcmutils/SimpleKCM.qml:48: TypeError: Cannot read property 'name' of null
ufw.client: Ufw is loaded? false
firewalld.client: Firewalld is loaded? 0
qml: services available:  []
qrc:/kcm/kcm_firewall/main.qml:29:5: QML OverlaySheet: Binding loop detected for property "implicitHeight"
firewalld.job: firewalld direct:  "getAllRules" QList()
firewalld.job: firewalld zone interface:  "getServices" QList(QVariant(QString, ""))
qrc:/qt/qml/org/kde/desktop/HorizontalHeaderView.qml:38:9: Unable to assign [undefined] to QString
qrc:/qt/qml/org/kde/desktop/HorizontalHeaderView.qml:38:9: Unable to assign [undefined] to QString
qrc:/kcm/kcm_firewall/main.qml:29:5: QML OverlaySheet: Binding loop detected for property "y"
qrc:/kcm/kcm_firewall/main.qml:29:5: QML OverlaySheet: Binding loop detected for property "implicitHeight"
qrc:/qt/qml/org/kde/desktop/HorizontalHeaderView.qml:38:9: Unable to assign [undefined] to QString
qrc:/qt/qml/org/kde/desktop/HorizontalHeaderView.qml:38:9: Unable to assign [undefined] to QString
qrc:/qt/qml/org/kde/desktop/HorizontalHeaderView.qml:38:9: Unable to assign [undefined] to QString
qml: Page SubCategoryPage_QMLTYPE_111(0x618902039f00) is already in the PageRow
qml: Pushed pages do not conform to the rules. Please check the documentation.
qml: push (file:///usr/lib/qt6/qml/org/kde/kirigami/PageRow.qml:223)
onActiveSubCategoryRowChanged (qrc:/qt/qml/org/kde/systemsettings/SubCategoryPage.qml:175)
expression for onClicked (qrc:/qt/qml/org/kde/systemsettings/SubCategoryPage.qml:197)
qrc:/qt/qml/org/kde/desktop/HorizontalHeaderView.qml:38:9: Unable to assign [undefined] to QString
firewalld.job: job error message:  "Not Authorized(polkit): org.fedoraproject.FirewallD1.config.info"
firewalld.client: Query rules job error:  100 "Not Authorized(polkit): org.fedoraproject.FirewallD1.config.info"

(opening about box)
qrc:/kcm/kcm_firewall/main.qml:468:9: QML About: Binding loop detected for property "implicitHeight"
qrc:/kcm/kcm_firewall/main.qml:468:9: QML About: Binding loop detected for property "implicitHeight"


a few seconds running:
$ top
    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                 
  24658 user      20   0 3009360 264068 170964 R  99.7   0.8  10:42.78 systemsettings

Comment 2 Gabriel Barros 2024-04-30 15:59:36 UTC Comment hidden (spam)

Last comment was typed in the wrong tab. apologies.

Comment 3 Nate Graham 2025-05-29 17:11:30 UTC

We have a wiki page now for information like this: https://community.kde.org/Distributions/Packaging_Recommendations

Right now it doesn't have anything about recommended PAM configuration, though. Worth adding.

Comment 4 Nate Graham 2025-05-29 19:10:24 UTC

Done in https://community.kde.org/index.php?title=Distributions%2FPackaging_Recommendations&diff=103597&oldid=103596.

Comment 5 Antonio Rojas 2025-05-29 19:14:54 UTC

Any reason this is not shipped upstream, like GNOME and SDDM do?

Comment 6 Nate Graham 2025-05-29 19:16:29 UTC

That sounds like a good idea!

Comment 7 Fabian Vogt 2025-05-30 12:58:14 UTC

(In reply to Antonio Rojas from comment #5)
> Any reason this is not shipped upstream, like GNOME and SDDM do?

SDDM no longer ships PAM files: https://github.com/sddm/sddm/pull/1856#issuecomment-1954175820