hyprlock icon indicating copy to clipboard operation
hyprlock copied to clipboard
verified publisher icon hyprwm

PAM not running with root priviledges

Open Mikilio opened this issue 2 months ago • 3 comments

Regression?

No

Hyprlock Info and Version

v0.9.2

Compositor Info and Version

System/Version info 
<Paste the output of the command here>

Description

Some pam modules except to be run with rootpriviledges and indeed that seems to be the case for pretty much every service except hyprlock. On hyprlock only this will lead to those pam modules just failing unless they are made user freindly.

Example u2f with authfile owned by root.

This is low priority as workarounds exist. And I am also not quite sure on how to achieve a solution for this. I'd be appy to receive feedback and also offer my assistance for any research.

How to reproduce

I can provide more information on how to reproduce, however, I do not think that this was ever supposed to work. And since this is almost like a feature requeste I'll save myself the trouble.

Crash reports, logs, images, videos

No response

Mikilio avatar Oct 21 '25 04:10 Mikilio

Some pam modules except to be run with rootpriviledges and indeed that seems to be the case for pretty much every service except hyprlock

Pam modules run within the current process. They can only be root, when the application is setuid or the application launches a process with setuid that handles the pam conversation. Never ever make hyprlock be a setuid binary. That would make the hyprlock's configuration be privilege escalation as a service.

Now I can imagine that there are some applications that launch a setuid binary that does the pam stuff and when that exists with 0 exit code the application knows we authenticated. But I don't want to code a setuid binary and using an existing solution will not be easily portable between systems.

For your situation with the authfile owned by root, you could let it be owned by a group, which your user is not a part of. Set r+g to the authfile and then set the owning group of hyprlock to that group.

PointerDilemma avatar Oct 23 '25 07:10 PointerDilemma

Yeah, I have my workaround. I was just baffled that hyprlock is the only application I have behaving that way. I would like to find some actual document specifying what, how and why PAM wants you to do there. I hope you can keep the issue open till then. Because then I know if this should be fixed here or in all PAM modules

Mikilio avatar Oct 23 '25 14:10 Mikilio

You have any examples of "normal" applications making the modules run as root?

Cause for example sudo, su and greetd need to be root anyways.

PointerDilemma avatar Oct 23 '25 15:10 PointerDilemma

Glad I found this issue.

Spent too much time trying to figure out why my pam U2F config (auth required pam_u2f.so authfile=/etc/u2f_mappings cue) wasn't working ([ERR] auth: pam_authenticate failed for hyprlock) but my authfile is set to root:root / 700.

Problem is using user's home directory (~/.config/Yubico) to store the mappings isn't an option with encrypted home...

ncoder-1 avatar Dec 19 '25 20:12 ncoder-1