Date: Fri, 17 Jul 2020 22:35:19 +0000 (UTC) From: Jan Beich <jbeich@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r542455 - in branches/2020Q3/x11/swaylock: . files Message-ID: <202007172235.06HMZJYr044773@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jbeich Date: Fri Jul 17 22:35:19 2020 New Revision: 542455 URL: https://svnweb.freebsd.org/changeset/ports/542455 Log: MFH: r542454 x11/swaylock: limit root to authenticating child process Taken from initialize_pw_backend in shadow.c. PR: 248053 Approved by: ports-secteam blanket Modified: branches/2020Q3/x11/swaylock/Makefile branches/2020Q3/x11/swaylock/files/patch-pam.c Directory Properties: branches/2020Q3/ (props changed) Modified: branches/2020Q3/x11/swaylock/Makefile ============================================================================== --- branches/2020Q3/x11/swaylock/Makefile Fri Jul 17 22:34:38 2020 (r542454) +++ branches/2020Q3/x11/swaylock/Makefile Fri Jul 17 22:35:19 2020 (r542455) @@ -2,7 +2,7 @@ PORTNAME= swaylock DISTVERSION= 1.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= x11 MAINTAINER= jbeich@FreeBSD.org Modified: branches/2020Q3/x11/swaylock/files/patch-pam.c ============================================================================== --- branches/2020Q3/x11/swaylock/files/patch-pam.c Fri Jul 17 22:34:38 2020 (r542454) +++ branches/2020Q3/x11/swaylock/files/patch-pam.c Fri Jul 17 22:35:19 2020 (r542455) @@ -1,8 +1,9 @@ pam_unix(8) requires root priveleges to access master.passwd(5) +but don't keep root for non-authentication activities. --- pam.c.orig 2019-01-29 19:48:00 UTC +++ pam.c -@@ -12,12 +12,14 @@ +@@ -12,15 +12,40 @@ static char *pw_buf = NULL; void initialize_pw_backend(int argc, char **argv) { @@ -13,7 +14,33 @@ pam_unix(8) requires root priveleges to access master. " backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]); exit(EXIT_FAILURE); } ++#else ++ if (geteuid() != 0) { ++ swaylock_log(LOG_ERROR, ++ "swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd"); ++ exit(EXIT_FAILURE); ++ } +#endif ++ if (!spawn_comm_child()) { exit(EXIT_FAILURE); } ++ ++#ifndef __linux__ ++ if (setgid(getgid()) != 0) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); ++ exit(EXIT_FAILURE); ++ } ++ if (setuid(getuid()) != 0) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); ++ exit(EXIT_FAILURE); ++ } ++ if (setuid(0) != -1) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be " ++ "able to restore it after setuid)"); ++ exit(EXIT_FAILURE); ++ } ++#endif + } + + static int handle_conversation(int num_msg, const struct pam_message **msg,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007172235.06HMZJYr044773>