git: 1a6e018f6243 - main - x11/swaylock: drop setuid bit via unix-selfauth-helper

From: Jan Beich <jbeich_at_FreeBSD.org>
Date: Tue, 28 Jun 2022 20:02:19 UTC
The branch main has been updated by jbeich:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1a6e018f624361ab51af5ba7d46d89ab42a243f2

commit 1a6e018f624361ab51af5ba7d46d89ab42a243f2
Author:     Jan Beich <jbeich@FreeBSD.org>
AuthorDate: 2022-06-28 19:37:40 +0000
Commit:     Jan Beich <jbeich@FreeBSD.org>
CommitDate: 2022-06-28 20:01:35 +0000

    x11/swaylock: drop setuid bit via unix-selfauth-helper
---
 x11/swaylock-effects/Makefile         |  2 +-
 x11/swaylock/Makefile                 | 11 ++++-----
 x11/swaylock/files/patch-pam.c        | 46 -----------------------------------
 x11/swaylock/files/patch-pam_swaylock |  6 ++++-
 4 files changed, 11 insertions(+), 54 deletions(-)

diff --git a/x11/swaylock-effects/Makefile b/x11/swaylock-effects/Makefile
index 5d76bdbec325..93744db36d78 100644
--- a/x11/swaylock-effects/Makefile
+++ b/x11/swaylock-effects/Makefile
@@ -1,6 +1,6 @@
 DISTVERSIONPREFIX=	v
 DISTVERSION=	1.6-3
-PORTREVISION=	1
+PORTREVISION=	2
 PKGNAMESUFFIX=	-effects
 
 PATCH_SITES=	https://github.com/${GH_ACCOUNT}/${GH_PROJECT}/commit/
diff --git a/x11/swaylock/Makefile b/x11/swaylock/Makefile
index aeacbd6aadc5..d4930274a707 100644
--- a/x11/swaylock/Makefile
+++ b/x11/swaylock/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	swaylock
 DISTVERSION?=	1.6
-PORTREVISION?=	0
+PORTREVISION?=	1
 CATEGORIES=	x11
 
 MAINTAINER=	jbeich@FreeBSD.org
@@ -12,6 +12,7 @@ LICENSE_FILE=	${WRKSRC}/LICENSE
 BUILD_DEPENDS=	wayland-protocols>=1.25:graphics/wayland-protocols
 LIB_DEPENDS=	libwayland-client.so:graphics/wayland \
 		libxkbcommon.so:x11/libxkbcommon
+RUN_DEPENDS=	unix-selfauth-helper>0:security/unix-selfauth-helper
 
 CONFLICTS_INSTALL=	${PORTNAME}-*
 
@@ -26,11 +27,6 @@ PLIST_FILES=	bin/${PORTNAME} \
 		share/fish/vendor_completions.d/${PORTNAME}.fish \
 		share/zsh/site-functions/_${PORTNAME}
 
-# https://reviews.freebsd.org/D34321
-.if !exists(/usr/libexec/pam_unix-helper)
-PLIST_FILES:=	"@(,,4755) "${PLIST_FILES}
-.endif
-
 OPTIONS_DEFINE=	MANPAGES PIXBUF
 OPTIONS_DEFAULT=MANPAGES PIXBUF
 
@@ -46,5 +42,8 @@ post-patch:
 	@${REINPLACE_CMD} -i .nogit -e 's/git.found()/false/' \
 		-e '/project_version/s/@0@/${DISTVERSIONFULL}/' \
 		${WRKSRC}/meson.build
+# Respect LOCALBASE for unix-selfauth-helper
+	@${REINPLACE_CMD} -e 's,/usr/local,${LOCALBASE},' \
+		${WRKSRC}/pam/${PORTNAME}
 
 .include <bsd.port.mk>
diff --git a/x11/swaylock/files/patch-pam.c b/x11/swaylock/files/patch-pam.c
deleted file mode 100644
index 34b89d2b645c..000000000000
--- a/x11/swaylock/files/patch-pam.c
+++ /dev/null
@@ -1,46 +0,0 @@
-pam_unix(8) requires root priveleges to access master.passwd(5)
-but don't keep root for non-authentication activities.
-
---- pam.c.orig	2019-01-29 19:48:00 UTC
-+++ pam.c
-@@ -12,15 +12,40 @@
- static char *pw_buf = NULL;
- 
- void initialize_pw_backend(int argc, char **argv) {
-+#ifdef __linux__
- 	if (getuid() != geteuid() || getgid() != getegid()) {
- 		swaylock_log(LOG_ERROR,
- 			"swaylock is setuid, but was compiled with the PAM"
- 			" backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]);
- 		exit(EXIT_FAILURE);
- 	}
-+#else
-+	if (geteuid() != 0) {
-+		swaylock_log(LOG_ERROR,
-+				"swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd");
-+		exit(EXIT_FAILURE);
-+	}
-+#endif
-+
- 	if (!spawn_comm_child()) {
- 		exit(EXIT_FAILURE);
- 	}
-+
-+#ifndef __linux__
-+	if (setgid(getgid()) != 0) {
-+		swaylock_log_errno(LOG_ERROR, "Unable to drop root");
-+		exit(EXIT_FAILURE);
-+	}
-+	if (setuid(getuid()) != 0) {
-+		swaylock_log_errno(LOG_ERROR, "Unable to drop root");
-+		exit(EXIT_FAILURE);
-+	}
-+	if (setuid(0) != -1) {
-+		swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
-+			"able to restore it after setuid)");
-+		exit(EXIT_FAILURE);
-+	}
-+#endif
- }
- 
- static int handle_conversation(int num_msg, const struct pam_message **msg,
diff --git a/x11/swaylock/files/patch-pam_swaylock b/x11/swaylock/files/patch-pam_swaylock
index 8388acd8a579..19908bfed564 100644
--- a/x11/swaylock/files/patch-pam_swaylock
+++ b/x11/swaylock/files/patch-pam_swaylock
@@ -1,9 +1,12 @@
 "login" has "auth sufficient pam_self.so" but a screen locker is
 supposed to ask for password regardless.
 
+pam_unix(8) requires root priveleges to access master.passwd(5),
+so try authenticating via setuid helper first.
+
 --- pam/swaylock.orig	2019-01-29 19:48:00 UTC
 +++ pam/swaylock
-@@ -1,6 +1,6 @@
+@@ -1,6 +1,7 @@
  #
 -# PAM configuration file for the swaylock screen locker. By default, it includes
 -# the 'login' configuration file (see /etc/pam.d/login)
@@ -12,4 +15,5 @@ supposed to ask for password regardless.
  #
  
 -auth include login
++auth sufficient pam_exec.so return_prog_exit_status expose_authtok /usr/local/libexec/unix-selfauth-helper
 +auth include system