[SOLVED] Can't log in using GUI (IceLockAuthFile failed)

seth · 2016-10-22 20:01:54

Bein in the wheel group is "normal" and it's absolultely ok to be in your own group.

Setting the home dir's group to xander breaks everything

That directory *alone*?
Bad group? What's the ouput of "id"?

loqs · 2016-10-22 20:06:25

Reasons why are covered in Users_and_groups#Example_adding_a_user

$ id -ng

This should generally match the group owning /home/username
Edit:
Also

$ getent group xander

Last edited by loqs (2016-10-22 20:07:52)

JohnBobSmith · 2016-10-22 20:42:08

Basically, to the best of my knowledge, security risks regarding users and groups occur when you give any user too much (dangerous amount) of control over the system, with or without malicious intent. Here's a very cheesy but arguably plausible scenario: Suppose you have two users, Jack, and Jill. Jack and Jill are both members of the group married couples, or MC for short. All files have this MC group by default, and members of group MC have access to each others home directory. Jack and Jill share the same computer. One day, Jack decides to do some really crazy stuff and ends up impregnating another women. He doesn't want his wife to find out, so he changes some permissions on his email and browser history and what not. Jack think's he's safe. The next day, Jill decides to investigate because Jack has been acting really weird. Jill finds out about the affair without a hitch. She gets a divorce. Jack is now ruined forever. Why did Jill have no problem getting into Jack's files? Its simple: because both Jack and Jill are member of group MC, and members of group MC have access to each others files, Jack or Jill could have accessed each others files at any time. Unfortunately for Jack, he forgot to make sure that his home directory and files were removed from group MC, thereby actually locking his wife out.

The solution to Jacks dilemma would be to set the permissions of any important file that only he should have access to to something like Jack:Jack. Jill would then no longer be able to access these files, because Jill is not in group Jack and the file is no longer accessible by members of group MC. To really ensure that only he would have access to it, Jack would have also set the permissions of his important files to rwx------. Now only the owner (Jack) can read, write or execute anything for said file.

It is entirely possible that my explanation of things is off, outdated, wrong, etc. etc. Therefore I highly encourage you to do your own research and look up for yourself what really is what. Because we have a working solution, I won't reply to this thread anymore. But I hope this helps someone!

Links regarding groups, permissions, etc:
https://wiki.archlinux.org/index.php/Users_and_groups
https://en.wikipedia.org/wiki/User_(computing)
https://en.wikipedia.org/wiki/Group_(computing)
https://en.wikipedia.org/wiki/File_system_permissions
https://en.wikipedia.org/wiki/Computer_access_control

seth · 2016-10-22 21:02:18

Jill has physical access, Jack is screwed - had better copied the files to some USB key and erased them on disk ...

The actual problem here is that some security related processes will check permissions and, if to lax, simply refuse action.
The other problem is umask 002, ie. group members get write access by default - Jill just *fakes* the adultery. Jack is screwed. (Even more, for he didn't even do that barely legal teen with insufficient knowledge of birth control)

JohnBobSmith is retired? (Ie. was young when you could do such examples w/o risking a shitstorm ;-)

Arch Linux

#26 2016-10-22 20:01:54

Re: [SOLVED] Can't log in using GUI (IceLockAuthFile failed)

#27 2016-10-22 20:06:25

Re: [SOLVED] Can't log in using GUI (IceLockAuthFile failed)

#28 2016-10-22 20:42:08

Re: [SOLVED] Can't log in using GUI (IceLockAuthFile failed)

#29 2016-10-22 21:02:18

Re: [SOLVED] Can't log in using GUI (IceLockAuthFile failed)

Board footer