Date: Fri, 17 Jul 2020 22:34:38 +0000 (UTC) From: Jan Beich <jbeich@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r542454 - in head/x11/swaylock: . files Message-ID: <202007172234.06HMYcfn044588@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jbeich Date: Fri Jul 17 22:34:38 2020 New Revision: 542454 URL: https://svnweb.freebsd.org/changeset/ports/542454 Log: x11/swaylock: limit root to authenticating child process Taken from initialize_pw_backend in shadow.c. PR: 248053 Modified: head/x11/swaylock/Makefile (contents, props changed) head/x11/swaylock/files/patch-pam.c (contents, props changed) Modified: head/x11/swaylock/Makefile ============================================================================== --- head/x11/swaylock/Makefile Fri Jul 17 22:32:15 2020 (r542453) +++ head/x11/swaylock/Makefile Fri Jul 17 22:34:38 2020 (r542454) @@ -2,7 +2,7 @@ PORTNAME= swaylock DISTVERSION= 1.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= x11 MAINTAINER= jbeich@FreeBSD.org Modified: head/x11/swaylock/files/patch-pam.c ============================================================================== --- head/x11/swaylock/files/patch-pam.c Fri Jul 17 22:32:15 2020 (r542453) +++ head/x11/swaylock/files/patch-pam.c Fri Jul 17 22:34:38 2020 (r542454) @@ -1,8 +1,9 @@ pam_unix(8) requires root priveleges to access master.passwd(5) +but don't keep root for non-authentication activities. --- pam.c.orig 2019-01-29 19:48:00 UTC +++ pam.c -@@ -12,12 +12,14 @@ +@@ -12,15 +12,40 @@ static char *pw_buf = NULL; void initialize_pw_backend(int argc, char **argv) { @@ -13,7 +14,33 @@ pam_unix(8) requires root priveleges to access master. " backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]); exit(EXIT_FAILURE); } ++#else ++ if (geteuid() != 0) { ++ swaylock_log(LOG_ERROR, ++ "swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd"); ++ exit(EXIT_FAILURE); ++ } +#endif ++ if (!spawn_comm_child()) { exit(EXIT_FAILURE); } ++ ++#ifndef __linux__ ++ if (setgid(getgid()) != 0) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); ++ exit(EXIT_FAILURE); ++ } ++ if (setuid(getuid()) != 0) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); ++ exit(EXIT_FAILURE); ++ } ++ if (setuid(0) != -1) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be " ++ "able to restore it after setuid)"); ++ exit(EXIT_FAILURE); ++ } ++#endif + } + + static int handle_conversation(int num_msg, const struct pam_message **msg,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007172234.06HMYcfn044588>