diff options
author | Jan Beich <jbeich@FreeBSD.org> | 2020-07-17 22:34:38 +0000 |
---|---|---|
committer | Jan Beich <jbeich@FreeBSD.org> | 2020-07-17 22:34:38 +0000 |
commit | 46d7eb1301d95b2b125e4ca8fb9abdfcf1a3ba79 (patch) | |
tree | 4ceaff8bf6cd24be5c4476a3dde08fb7121494e3 /x11/swaylock | |
parent | 067e4fe6e6168df51aae21dae981d48143dcc54d (diff) | |
download | ports-46d7eb1301d95b2b125e4ca8fb9abdfcf1a3ba79.tar.gz ports-46d7eb1301d95b2b125e4ca8fb9abdfcf1a3ba79.zip |
x11/swaylock: limit root to authenticating child process
Taken from initialize_pw_backend in shadow.c.
PR: 248053
Notes
Notes:
svn path=/head/; revision=542454
Diffstat (limited to 'x11/swaylock')
-rw-r--r-- | x11/swaylock/Makefile | 2 | ||||
-rw-r--r-- | x11/swaylock/files/patch-pam.c | 29 |
2 files changed, 29 insertions, 2 deletions
diff --git a/x11/swaylock/Makefile b/x11/swaylock/Makefile index 1d6123ee5404..92553e97668f 100644 --- a/x11/swaylock/Makefile +++ b/x11/swaylock/Makefile @@ -2,7 +2,7 @@ PORTNAME= swaylock DISTVERSION= 1.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= x11 MAINTAINER= jbeich@FreeBSD.org diff --git a/x11/swaylock/files/patch-pam.c b/x11/swaylock/files/patch-pam.c index b00deca58e32..34b89d2b645c 100644 --- a/x11/swaylock/files/patch-pam.c +++ b/x11/swaylock/files/patch-pam.c @@ -1,8 +1,9 @@ pam_unix(8) requires root priveleges to access master.passwd(5) +but don't keep root for non-authentication activities. --- pam.c.orig 2019-01-29 19:48:00 UTC +++ pam.c -@@ -12,12 +12,14 @@ +@@ -12,15 +12,40 @@ static char *pw_buf = NULL; void initialize_pw_backend(int argc, char **argv) { @@ -13,7 +14,33 @@ pam_unix(8) requires root priveleges to access master.passwd(5) " backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]); exit(EXIT_FAILURE); } ++#else ++ if (geteuid() != 0) { ++ swaylock_log(LOG_ERROR, ++ "swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd"); ++ exit(EXIT_FAILURE); ++ } +#endif ++ if (!spawn_comm_child()) { exit(EXIT_FAILURE); } ++ ++#ifndef __linux__ ++ if (setgid(getgid()) != 0) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); ++ exit(EXIT_FAILURE); ++ } ++ if (setuid(getuid()) != 0) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); ++ exit(EXIT_FAILURE); ++ } ++ if (setuid(0) != -1) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be " ++ "able to restore it after setuid)"); ++ exit(EXIT_FAILURE); ++ } ++#endif + } + + static int handle_conversation(int num_msg, const struct pam_message **msg, |