svn commit: r542455 - in branches/2020Q3/x11/swaylock: . files
Jan Beich
jbeich at FreeBSD.org
Fri Jul 17 22:35:20 UTC 2020
Author: jbeich
Date: Fri Jul 17 22:35:19 2020
New Revision: 542455
URL: https://svnweb.freebsd.org/changeset/ports/542455
Log:
MFH: r542454
x11/swaylock: limit root to authenticating child process
Taken from initialize_pw_backend in shadow.c.
PR: 248053
Approved by: ports-secteam blanket
Modified:
branches/2020Q3/x11/swaylock/Makefile
branches/2020Q3/x11/swaylock/files/patch-pam.c
Directory Properties:
branches/2020Q3/ (props changed)
Modified: branches/2020Q3/x11/swaylock/Makefile
==============================================================================
--- branches/2020Q3/x11/swaylock/Makefile Fri Jul 17 22:34:38 2020 (r542454)
+++ branches/2020Q3/x11/swaylock/Makefile Fri Jul 17 22:35:19 2020 (r542455)
@@ -2,7 +2,7 @@
PORTNAME= swaylock
DISTVERSION= 1.5
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= x11
MAINTAINER= jbeich at FreeBSD.org
Modified: branches/2020Q3/x11/swaylock/files/patch-pam.c
==============================================================================
--- branches/2020Q3/x11/swaylock/files/patch-pam.c Fri Jul 17 22:34:38 2020 (r542454)
+++ branches/2020Q3/x11/swaylock/files/patch-pam.c Fri Jul 17 22:35:19 2020 (r542455)
@@ -1,8 +1,9 @@
pam_unix(8) requires root priveleges to access master.passwd(5)
+but don't keep root for non-authentication activities.
--- pam.c.orig 2019-01-29 19:48:00 UTC
+++ pam.c
-@@ -12,12 +12,14 @@
+@@ -12,15 +12,40 @@
static char *pw_buf = NULL;
void initialize_pw_backend(int argc, char **argv) {
@@ -13,7 +14,33 @@ pam_unix(8) requires root priveleges to access master.
" backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]);
exit(EXIT_FAILURE);
}
++#else
++ if (geteuid() != 0) {
++ swaylock_log(LOG_ERROR,
++ "swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd");
++ exit(EXIT_FAILURE);
++ }
+#endif
++
if (!spawn_comm_child()) {
exit(EXIT_FAILURE);
}
++
++#ifndef __linux__
++ if (setgid(getgid()) != 0) {
++ swaylock_log_errno(LOG_ERROR, "Unable to drop root");
++ exit(EXIT_FAILURE);
++ }
++ if (setuid(getuid()) != 0) {
++ swaylock_log_errno(LOG_ERROR, "Unable to drop root");
++ exit(EXIT_FAILURE);
++ }
++ if (setuid(0) != -1) {
++ swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
++ "able to restore it after setuid)");
++ exit(EXIT_FAILURE);
++ }
++#endif
+ }
+
+ static int handle_conversation(int num_msg, const struct pam_message **msg,
More information about the svn-ports-all
mailing list