MFH: r542454

x11/swaylock: limit root to authenticating child process

Taken from initialize_pw_backend in shadow.c.

PR:		248053
Approved by:	ports-secteam blanket

2 files changed, 29 insertions, 2 deletions

diff --git a/x11/swaylock/Makefile b/x11/swaylock/Makefile
index 1d6123ee5404..92553e97668f 100644
--- a/x11/swaylock/Makefile
+++ b/x11/swaylock/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	swaylock
 DISTVERSION=	1.5
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11
 
 MAINTAINER=	jbeich@FreeBSD.org
diff --git a/x11/swaylock/files/patch-pam.c b/x11/swaylock/files/patch-pam.c
index b00deca58e32..34b89d2b645c 100644
--- a/x11/swaylock/files/patch-pam.c
+++ b/x11/swaylock/files/patch-pam.c
@@ -1,8 +1,9 @@
 pam_unix(8) requires root priveleges to access master.passwd(5)
+but don't keep root for non-authentication activities.
 
 --- pam.c.orig	2019-01-29 19:48:00 UTC
 +++ pam.c
-@@ -12,12 +12,14 @@
+@@ -12,15 +12,40 @@
  static char *pw_buf = NULL;
  
  void initialize_pw_backend(int argc, char **argv) {
@@ -13,7 +14,33 @@ pam_unix(8) requires root priveleges to access master.passwd(5)
  			" backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]);
  		exit(EXIT_FAILURE);
  	}
++#else
++	if (geteuid() != 0) {
++		swaylock_log(LOG_ERROR,
++				"swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd");
++		exit(EXIT_FAILURE);
++	}
 +#endif
++
  	if (!spawn_comm_child()) {
  		exit(EXIT_FAILURE);
  	}
++
++#ifndef __linux__
++	if (setgid(getgid()) != 0) {
++		swaylock_log_errno(LOG_ERROR, "Unable to drop root");
++		exit(EXIT_FAILURE);
++	}
++	if (setuid(getuid()) != 0) {
++		swaylock_log_errno(LOG_ERROR, "Unable to drop root");
++		exit(EXIT_FAILURE);
++	}
++	if (setuid(0) != -1) {
++		swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
++			"able to restore it after setuid)");
++		exit(EXIT_FAILURE);
++	}
++#endif
+ }
+ 
+ static int handle_conversation(int num_msg, const struct pam_message **msg,