mate-screensaver not using root to call pam-userdb for auth

[StephDC]

Expected behaviour

The mate-screensaver can unlock the session correctly after entering the password.

Actual behaviour

The mate-screensaver failed to unlock the screen with the following error message shown in journalctl

mate-screensaver-dialog[125017]: pam_userdb(mate-screensaver:auth): user_lookup: could not open database '/etc/user': Permission denied

Steps to reproduce the behaviour

Create a userdb file (Berkeley DB) containing a username and password with 600 permission as shown below

-rw------- 1 root root /etc/user.db

Login using the username and password. (I used lightdm and it worked just fine)

Lock the screen

Try to unlock the screen with the password - failed.

MATE general version

1.24.0

Package version

mate-screensaver 1.24.0

Linux Distribution

AOSC, shall apply to other distros

Link to downstream report of your Distribution

Attempts to try to fix the issue

• change mate-screensaver to suid root make it stop working altogether
• change mate-screensaver-dialog to suid root does not affect the outcome
• change /etc/user.db to all readable is a huge no-go as it essentially exposes the password hash to all users.

[lukefromdc]

There have been lots of PAM configuration issues with this, in Debian to get the unlock dialog to show up at all you have to remove/etc/pam.d/mate-screensaver