git: 1a6e018f6243 - main - x11/swaylock: drop setuid bit via unix-selfauth-helper
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 28 Jun 2022 20:02:19 UTC
The branch main has been updated by jbeich: URL: https://cgit.FreeBSD.org/ports/commit/?id=1a6e018f624361ab51af5ba7d46d89ab42a243f2 commit 1a6e018f624361ab51af5ba7d46d89ab42a243f2 Author: Jan Beich <jbeich@FreeBSD.org> AuthorDate: 2022-06-28 19:37:40 +0000 Commit: Jan Beich <jbeich@FreeBSD.org> CommitDate: 2022-06-28 20:01:35 +0000 x11/swaylock: drop setuid bit via unix-selfauth-helper --- x11/swaylock-effects/Makefile | 2 +- x11/swaylock/Makefile | 11 ++++----- x11/swaylock/files/patch-pam.c | 46 ----------------------------------- x11/swaylock/files/patch-pam_swaylock | 6 ++++- 4 files changed, 11 insertions(+), 54 deletions(-) diff --git a/x11/swaylock-effects/Makefile b/x11/swaylock-effects/Makefile index 5d76bdbec325..93744db36d78 100644 --- a/x11/swaylock-effects/Makefile +++ b/x11/swaylock-effects/Makefile @@ -1,6 +1,6 @@ DISTVERSIONPREFIX= v DISTVERSION= 1.6-3 -PORTREVISION= 1 +PORTREVISION= 2 PKGNAMESUFFIX= -effects PATCH_SITES= https://github.com/${GH_ACCOUNT}/${GH_PROJECT}/commit/ diff --git a/x11/swaylock/Makefile b/x11/swaylock/Makefile index aeacbd6aadc5..d4930274a707 100644 --- a/x11/swaylock/Makefile +++ b/x11/swaylock/Makefile @@ -1,6 +1,6 @@ PORTNAME= swaylock DISTVERSION?= 1.6 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= x11 MAINTAINER= jbeich@FreeBSD.org @@ -12,6 +12,7 @@ LICENSE_FILE= ${WRKSRC}/LICENSE BUILD_DEPENDS= wayland-protocols>=1.25:graphics/wayland-protocols LIB_DEPENDS= libwayland-client.so:graphics/wayland \ libxkbcommon.so:x11/libxkbcommon +RUN_DEPENDS= unix-selfauth-helper>0:security/unix-selfauth-helper CONFLICTS_INSTALL= ${PORTNAME}-* @@ -26,11 +27,6 @@ PLIST_FILES= bin/${PORTNAME} \ share/fish/vendor_completions.d/${PORTNAME}.fish \ share/zsh/site-functions/_${PORTNAME} -# https://reviews.freebsd.org/D34321 -.if !exists(/usr/libexec/pam_unix-helper) -PLIST_FILES:= "@(,,4755) "${PLIST_FILES} -.endif - OPTIONS_DEFINE= MANPAGES PIXBUF OPTIONS_DEFAULT=MANPAGES PIXBUF @@ -46,5 +42,8 @@ post-patch: @${REINPLACE_CMD} -i .nogit -e 's/git.found()/false/' \ -e '/project_version/s/@0@/${DISTVERSIONFULL}/' \ ${WRKSRC}/meson.build +# Respect LOCALBASE for unix-selfauth-helper + @${REINPLACE_CMD} -e 's,/usr/local,${LOCALBASE},' \ + ${WRKSRC}/pam/${PORTNAME} .include <bsd.port.mk> diff --git a/x11/swaylock/files/patch-pam.c b/x11/swaylock/files/patch-pam.c deleted file mode 100644 index 34b89d2b645c..000000000000 --- a/x11/swaylock/files/patch-pam.c +++ /dev/null @@ -1,46 +0,0 @@ -pam_unix(8) requires root priveleges to access master.passwd(5) -but don't keep root for non-authentication activities. - ---- pam.c.orig 2019-01-29 19:48:00 UTC -+++ pam.c -@@ -12,15 +12,40 @@ - static char *pw_buf = NULL; - - void initialize_pw_backend(int argc, char **argv) { -+#ifdef __linux__ - if (getuid() != geteuid() || getgid() != getegid()) { - swaylock_log(LOG_ERROR, - "swaylock is setuid, but was compiled with the PAM" - " backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]); - exit(EXIT_FAILURE); - } -+#else -+ if (geteuid() != 0) { -+ swaylock_log(LOG_ERROR, -+ "swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd"); -+ exit(EXIT_FAILURE); -+ } -+#endif -+ - if (!spawn_comm_child()) { - exit(EXIT_FAILURE); - } -+ -+#ifndef __linux__ -+ if (setgid(getgid()) != 0) { -+ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); -+ exit(EXIT_FAILURE); -+ } -+ if (setuid(getuid()) != 0) { -+ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); -+ exit(EXIT_FAILURE); -+ } -+ if (setuid(0) != -1) { -+ swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be " -+ "able to restore it after setuid)"); -+ exit(EXIT_FAILURE); -+ } -+#endif - } - - static int handle_conversation(int num_msg, const struct pam_message **msg, diff --git a/x11/swaylock/files/patch-pam_swaylock b/x11/swaylock/files/patch-pam_swaylock index 8388acd8a579..19908bfed564 100644 --- a/x11/swaylock/files/patch-pam_swaylock +++ b/x11/swaylock/files/patch-pam_swaylock @@ -1,9 +1,12 @@ "login" has "auth sufficient pam_self.so" but a screen locker is supposed to ask for password regardless. +pam_unix(8) requires root priveleges to access master.passwd(5), +so try authenticating via setuid helper first. + --- pam/swaylock.orig 2019-01-29 19:48:00 UTC +++ pam/swaylock -@@ -1,6 +1,6 @@ +@@ -1,6 +1,7 @@ # -# PAM configuration file for the swaylock screen locker. By default, it includes -# the 'login' configuration file (see /etc/pam.d/login) @@ -12,4 +15,5 @@ supposed to ask for password regardless. # -auth include login ++auth sufficient pam_exec.so return_prog_exit_status expose_authtok /usr/local/libexec/unix-selfauth-helper +auth include system