Authentication error with PAM: Error writing /proc/self/loginuid

[tkapias]

Introduction

I use xsession to launch $USER/.xsession which run a systemd target whith bindings to i3 and other services.
It works with lightdm and slim, but with Lemers there is an Authentication error with PAM.

Related to:

• Issue: Problems with pam_loginuid with Sway
• Issue: Problems with pam on Ubuntu 22.10

System

OS: Debian GNU/Linux trixie/sid x86_64
Kernel: 6.3.0-1-amd64
Shell: bash 5.2.15
WM: i3-wm
init: systemd 252 (252.11-1)
rustc: 1.71.0-nightly (9d871b061 2023-05-21)
cargo: 1.71.0-nightly (09276c703 2023-05-16)
Lemurs: main build d8fe499

Logs output

• /var/log/lemurs.log

[2023-07-06T03:35:55Z INFO  lemurs] Starting new session for 'tomasz' in environment 'X { xinitrc_path: "/etc/lemurs/wms/xsession" }'
[2023-07-06T03:35:56Z INFO  lemurs::post_login::env_variables] Setting Display
[2023-07-06T03:35:56Z INFO  lemurs::env_container] Set environment variable 'DISPLAY' to ':7'
[2023-07-06T03:35:56Z INFO  lemurs::post_login::env_variables] Setting XDG Session Parameters
[2023-07-06T03:35:56Z INFO  lemurs::env_container] Set environment variable 'XDG_SESSION_CLASS' to 'user'
[2023-07-06T03:35:56Z INFO  lemurs::env_container] Set environment variable 'XDG_SESSION_TYPE' to 'x11'
[2023-07-06T03:35:56Z INFO  lemurs::auth] Login attempt for 'tomasz'
[2023-07-06T03:35:56Z INFO  lemurs::auth::pam] Started opening session
[2023-07-06T03:35:58Z INFO  lemurs::auth::pam] Gotten Authenticator
[2023-07-06T03:35:58Z INFO  lemurs::auth::pam] Got handler
[2023-07-06T03:35:59Z INFO  lemurs::auth::pam] Validated account
[2023-07-06T03:36:16Z INFO  lemurs::auth] Authentication failed for 'tomasz'. Reason: Failed to open a PAM session
[2023-07-06T03:36:16Z INFO  lemurs::env_container] Removing session environment variables
[2023-07-06T03:36:16Z INFO  lemurs::env_container] Reverting to environment before session
[2023-07-06T03:36:16Z INFO  lemurs::env_container] Reverting to working directory before session

• /var/log/auth.log

2023-07-06T10:36:00.051839+07:00 tka-pc-dell lemurs: pam_loginuid(lemurs:session): Error writing /proc/self/loginuid: Operation not permitted
2023-07-06T10:36:00.052103+07:00 tka-pc-dell lemurs: pam_loginuid(lemurs:session): set_loginuid failed
2023-07-06T10:36:00.052225+07:00 tka-pc-dell lemurs: pam_unix(lemurs:session): session opened for user tomasz(uid=1000) by (uid=0)
2023-07-06T10:36:00.840008+07:00 tka-pc-dell systemd-logind[548]: New session c1 of user tomasz.
2023-07-06T10:36:01.454207+07:00 tka-pc-dell (systemd): pam_unix(systemd-user:session): session opened for user tomasz(uid=1000) by (uid=0)

Leads

A little search for the same issue on other projects links to kernel audit options, forking and user permissions.

I tried to modify the pam config file (/etc/pam.d/lemurs), both of them give the same result:

• Simplified:

#%PAM-1.0
@include login

• Like slim:

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
#auth    sufficient      pam_thinkfinger.so
@include common-auth
@include common-account
# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without out this it is possible 
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so close
session required        pam_limits.so
session required        pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
@include common-password

[coastalwhite]

This is a somewhat difficult issue as the behaviour expected by Debian based platforms and other Linux distributions is different.

In Debian PAM will lower the permissions to the given user. In most other distributions, the program needs to do that itself.

It might be needed to make some distinction between the two in the configuration as I would like to keep the same build for both.

[avlec]

I'm seeing this error when my window manager closes on Arch Linux x86_65 6.4.7 zen kernel fresh install. It causes the service shuts down and falls back to the regular login.

[... INFO lemurs::post_login] Waiting for client to exit

systemctl output

systemd[]: Started Lemurs.
lemurs[]: Error writing /proc/self/loginuid: Operation not permitted
lemurs[]: pam_loginuid(lemurs:session): set_loginuid failed
lemurs[]: pam.unix(lemurs:session): session opened for user ... by (uid=0)
systemd[]: lemurs.service: Deactivate successfully.

[coastalwhite]

I am investigating this issue, but it is a rather tough one. In theory, pam_loginuid is optional in most cases (not in the slim case) and should therefore not be the error you are experiencing. It might have something to do with the upstream PAM implementation, though.

[sandmuel]

I think this is the same issue plaguing lemurs on openSUSE.

here's my logs if this helps (they do seem quite similar to the others):

[2023-09-21T00:46:01Z INFO  lemurs::auth] Login attempt for 'samuel'
[2023-09-21T00:46:01Z INFO  lemurs::auth::pam] Started opening session
[2023-09-21T00:46:01Z INFO  lemurs::auth::pam] Gotten Authenticator
[2023-09-21T00:46:01Z INFO  lemurs::auth::pam] Got handler
[2023-09-21T00:46:01Z INFO  lemurs::auth::pam] Validated account
[2023-09-21T00:46:01Z INFO  lemurs::auth] Authentication failed for 'samuel'. Reason: Failed to open a PAM session

[acottis]

Hi,

I have workaround that works for me on Debian 12 Bookworm.,
The line that was the problem is in the /etc/pam.d/login file on my OS.

session    required     pam_loginuid.so

I worked around this by just copying /etc/pam.d/login into extra/lemurs.pam then chaning required to optional just for pam_loginuid.so before installing again with ./install.sh

session    optional     pam_loginuid.so

Note that /proc/self/loginuid will be set to 2^32, max int size if you do this workaround. (But it will load quite happily!)

[foxfirecodes]

just wanted to add my own experience briefly, for anyone who ends up here specifically after installing a Linux kernel on Arch other than mainline/lts:

i saw this error in the logs of lemurs and thought it was why i couldnt login after switching to Linux Zen, but it was a red herring. it was already optional in all my pam.d files (except root login, irrelevant here)

silly me forgot that if you're using a non mainline/lts kernel, you have to install nvidia-dkms/nvidia-open-dkms rather than nvidia/nvidia-open/nvidia-lts, as the latter are built for specific kernels (namely mainline & lts)

i do wonder if i missed something to point me in this direction in the logs. would have been helpful to see any indication of this in lemurs' logs, what clued me in was startx failing. anyway hope this helps anyone who might also be seeing these pam error red herrings -- but still worth checking if its required in your pam.d files!

[Talleyrand-34]

Hi, i have a very similar error

Nov 17 15:27:03 fedora systemd[1]: Started lemurs.service - Lemurs.
Nov 17 15:27:30 fedora lemurs[1837]: pam_loginuid(lemurs:session): Error writing /proc/self/loginuid: Operation not permitted
Nov 17 15:27:30 fedora lemurs[1837]: pam_loginuid(lemurs:session): set_loginuid failed
Nov 17 15:27:31 fedora lemurs[1837]: pam_unix(lemurs:session): session opened for user anonuser(uid=1000) by (uid=0)

but anon user uid is not 1000, i fact there is no user with uid 1000 and fails to open
I am using Fedora 40 with kernel 6.11

[osintowl]

@Talleyrand-34 on fedora the solution for me way fixed by making an selinux policy for it
sudo ausearch -c 'lemurs' --raw | sudo audit2allow -M lemurs_policy

semodule -i lemurs_policy.pp