diff options
author | Jan Beich <jbeich@FreeBSD.org> | 2020-07-17 22:35:19 +0000 |
---|---|---|
committer | Jan Beich <jbeich@FreeBSD.org> | 2020-07-17 22:35:19 +0000 |
commit | 6550b772fb63ad972cf9416e5832e60ddea31c73 (patch) | |
tree | 35af22c551c3146b8855291129924731b2bd748a /x11 | |
parent | 033f2cc92a3c923f2db55b46ade60459ba9ac149 (diff) | |
download | ports-6550b772fb63ad972cf9416e5832e60ddea31c73.tar.gz ports-6550b772fb63ad972cf9416e5832e60ddea31c73.zip |
MFH: r542454
x11/swaylock: limit root to authenticating child process
Taken from initialize_pw_backend in shadow.c.
PR: 248053
Approved by: ports-secteam blanket
Notes
Notes:
svn path=/branches/2020Q3/; revision=542455
Diffstat (limited to 'x11')
-rw-r--r-- | x11/swaylock/Makefile | 2 | ||||
-rw-r--r-- | x11/swaylock/files/patch-pam.c | 29 |
2 files changed, 29 insertions, 2 deletions
diff --git a/x11/swaylock/Makefile b/x11/swaylock/Makefile index 1d6123ee5404..92553e97668f 100644 --- a/x11/swaylock/Makefile +++ b/x11/swaylock/Makefile @@ -2,7 +2,7 @@ PORTNAME= swaylock DISTVERSION= 1.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= x11 MAINTAINER= jbeich@FreeBSD.org diff --git a/x11/swaylock/files/patch-pam.c b/x11/swaylock/files/patch-pam.c index b00deca58e32..34b89d2b645c 100644 --- a/x11/swaylock/files/patch-pam.c +++ b/x11/swaylock/files/patch-pam.c @@ -1,8 +1,9 @@ pam_unix(8) requires root priveleges to access master.passwd(5) +but don't keep root for non-authentication activities. --- pam.c.orig 2019-01-29 19:48:00 UTC +++ pam.c -@@ -12,12 +12,14 @@ +@@ -12,15 +12,40 @@ static char *pw_buf = NULL; void initialize_pw_backend(int argc, char **argv) { @@ -13,7 +14,33 @@ pam_unix(8) requires root priveleges to access master.passwd(5) " backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]); exit(EXIT_FAILURE); } ++#else ++ if (geteuid() != 0) { ++ swaylock_log(LOG_ERROR, ++ "swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd"); ++ exit(EXIT_FAILURE); ++ } +#endif ++ if (!spawn_comm_child()) { exit(EXIT_FAILURE); } ++ ++#ifndef __linux__ ++ if (setgid(getgid()) != 0) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); ++ exit(EXIT_FAILURE); ++ } ++ if (setuid(getuid()) != 0) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); ++ exit(EXIT_FAILURE); ++ } ++ if (setuid(0) != -1) { ++ swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be " ++ "able to restore it after setuid)"); ++ exit(EXIT_FAILURE); ++ } ++#endif + } + + static int handle_conversation(int num_msg, const struct pam_message **msg, |