From nobody Tue Jun 28 20:02:19 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9DB40862583; Tue, 28 Jun 2022 20:02:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LXb973yFKz3syP; Tue, 28 Jun 2022 20:02:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1656446539; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hfX0rKLQs2dIVcuo27ccfbWNmqUAqzNZT9rlxeaedPQ=; b=TnQz6599yPzf5T059oQDWI/6YV8S49gO+Bdz/lZVk2UYueZjR0+rWKSFtZsTYpDXEVawhn 6EOtfIYKbsBy4qEceAzfEC0m1BMkv2XlAT7UYFpbcY9uz72r2DScwugMeroVxxLIoCqg1V /G9vhGeujxCnF0TYhc/7BB31rLrRDui5yziYGAAjNjiFxI55t10Ioj/wTodzfUS20FiZy2 ROgiclvTka7EOJk42BpxEJnvFnJq4WokD4i9KtLMLwhhwIsAhO0v9h+zQI0jfjqcaHk+ni t1IQ5kGPT4sBYjUHgfk7FBZyqbK9G3pF0gSCBXswFx01psVu66ZIsk7tNVDzHg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 67AAD235C3; Tue, 28 Jun 2022 20:02:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 25SK2JE0017123; Tue, 28 Jun 2022 20:02:19 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 25SK2JPS017122; Tue, 28 Jun 2022 20:02:19 GMT (envelope-from git) Date: Tue, 28 Jun 2022 20:02:19 GMT Message-Id: <202206282002.25SK2JPS017122@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Jan Beich Subject: git: 1a6e018f6243 - main - x11/swaylock: drop setuid bit via unix-selfauth-helper List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jbeich X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1a6e018f624361ab51af5ba7d46d89ab42a243f2 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1656446539; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hfX0rKLQs2dIVcuo27ccfbWNmqUAqzNZT9rlxeaedPQ=; b=BZ7J6CSkije67R4BQgjszF89aAB4hwpr2lORUSjF524VuvMf7UeZQTDZKcXjAyuh1vGiQb xfIgYnK+A0HiorQnK0P9n1XaDOHngl+jVXYdwoloEPkO5jGsBTvNn6UWspa3CVf25dPFy6 kH7FUNVOiGmMuyhLE0CmWUDhFNGX2o+8MKuBOzsYyS1SiPiYJ9QZc/ObDb0vShCoYBf1WH z1s3sjYwHK+n5gMExHi3YM1n0np6SfvItuhtFYbXorpbGzInkP4KZm/lUmSS79AkB4f+y7 ER1E1VoqJt4Katqsf9wtEzz5YWbT3kjvqJFdNkVLxB7pNmu6jl1y1wR39CaBZg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1656446539; a=rsa-sha256; cv=none; b=LebOnrjw1nsvkwUA0+NrM4Eu2fpMFyU0Z3itOgyuB+qaj6G2mpiKmqfjqY3ojiVxmSvJYG /5LMAwLuDqwok1+pmbdKPTtraCaQTFsVz+3PapUARruMru7B/5noix7HmsJV6K3rHmHSrS ktht6zmrut5yheiS4fzrfRPntr6yPVgUg7OkGKxUjOK6AxW5r2hX5DkaUGSlmFXUidR76a tiXbc24HBgeGxlyGjvOFEIxqwj06xSpOy8+75E7ll7TpGH1AkqmW4BaviTzS71arJM6x71 hEwwHYFXtNbXYT0cVfciMS8wYwelW/1INLi41LysLOClwMgGA60wK4SWsoHZnQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jbeich: URL: https://cgit.FreeBSD.org/ports/commit/?id=1a6e018f624361ab51af5ba7d46d89ab42a243f2 commit 1a6e018f624361ab51af5ba7d46d89ab42a243f2 Author: Jan Beich AuthorDate: 2022-06-28 19:37:40 +0000 Commit: Jan Beich CommitDate: 2022-06-28 20:01:35 +0000 x11/swaylock: drop setuid bit via unix-selfauth-helper --- x11/swaylock-effects/Makefile | 2 +- x11/swaylock/Makefile | 11 ++++----- x11/swaylock/files/patch-pam.c | 46 ----------------------------------- x11/swaylock/files/patch-pam_swaylock | 6 ++++- 4 files changed, 11 insertions(+), 54 deletions(-) diff --git a/x11/swaylock-effects/Makefile b/x11/swaylock-effects/Makefile index 5d76bdbec325..93744db36d78 100644 --- a/x11/swaylock-effects/Makefile +++ b/x11/swaylock-effects/Makefile @@ -1,6 +1,6 @@ DISTVERSIONPREFIX= v DISTVERSION= 1.6-3 -PORTREVISION= 1 +PORTREVISION= 2 PKGNAMESUFFIX= -effects PATCH_SITES= https://github.com/${GH_ACCOUNT}/${GH_PROJECT}/commit/ diff --git a/x11/swaylock/Makefile b/x11/swaylock/Makefile index aeacbd6aadc5..d4930274a707 100644 --- a/x11/swaylock/Makefile +++ b/x11/swaylock/Makefile @@ -1,6 +1,6 @@ PORTNAME= swaylock DISTVERSION?= 1.6 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= x11 MAINTAINER= jbeich@FreeBSD.org @@ -12,6 +12,7 @@ LICENSE_FILE= ${WRKSRC}/LICENSE BUILD_DEPENDS= wayland-protocols>=1.25:graphics/wayland-protocols LIB_DEPENDS= libwayland-client.so:graphics/wayland \ libxkbcommon.so:x11/libxkbcommon +RUN_DEPENDS= unix-selfauth-helper>0:security/unix-selfauth-helper CONFLICTS_INSTALL= ${PORTNAME}-* @@ -26,11 +27,6 @@ PLIST_FILES= bin/${PORTNAME} \ share/fish/vendor_completions.d/${PORTNAME}.fish \ share/zsh/site-functions/_${PORTNAME} -# https://reviews.freebsd.org/D34321 -.if !exists(/usr/libexec/pam_unix-helper) -PLIST_FILES:= "@(,,4755) "${PLIST_FILES} -.endif - OPTIONS_DEFINE= MANPAGES PIXBUF OPTIONS_DEFAULT=MANPAGES PIXBUF @@ -46,5 +42,8 @@ post-patch: @${REINPLACE_CMD} -i .nogit -e 's/git.found()/false/' \ -e '/project_version/s/@0@/${DISTVERSIONFULL}/' \ ${WRKSRC}/meson.build +# Respect LOCALBASE for unix-selfauth-helper + @${REINPLACE_CMD} -e 's,/usr/local,${LOCALBASE},' \ + ${WRKSRC}/pam/${PORTNAME} .include diff --git a/x11/swaylock/files/patch-pam.c b/x11/swaylock/files/patch-pam.c deleted file mode 100644 index 34b89d2b645c..000000000000 --- a/x11/swaylock/files/patch-pam.c +++ /dev/null @@ -1,46 +0,0 @@ -pam_unix(8) requires root priveleges to access master.passwd(5) -but don't keep root for non-authentication activities. - ---- pam.c.orig 2019-01-29 19:48:00 UTC -+++ pam.c -@@ -12,15 +12,40 @@ - static char *pw_buf = NULL; - - void initialize_pw_backend(int argc, char **argv) { -+#ifdef __linux__ - if (getuid() != geteuid() || getgid() != getegid()) { - swaylock_log(LOG_ERROR, - "swaylock is setuid, but was compiled with the PAM" - " backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]); - exit(EXIT_FAILURE); - } -+#else -+ if (geteuid() != 0) { -+ swaylock_log(LOG_ERROR, -+ "swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd"); -+ exit(EXIT_FAILURE); -+ } -+#endif -+ - if (!spawn_comm_child()) { - exit(EXIT_FAILURE); - } -+ -+#ifndef __linux__ -+ if (setgid(getgid()) != 0) { -+ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); -+ exit(EXIT_FAILURE); -+ } -+ if (setuid(getuid()) != 0) { -+ swaylock_log_errno(LOG_ERROR, "Unable to drop root"); -+ exit(EXIT_FAILURE); -+ } -+ if (setuid(0) != -1) { -+ swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be " -+ "able to restore it after setuid)"); -+ exit(EXIT_FAILURE); -+ } -+#endif - } - - static int handle_conversation(int num_msg, const struct pam_message **msg, diff --git a/x11/swaylock/files/patch-pam_swaylock b/x11/swaylock/files/patch-pam_swaylock index 8388acd8a579..19908bfed564 100644 --- a/x11/swaylock/files/patch-pam_swaylock +++ b/x11/swaylock/files/patch-pam_swaylock @@ -1,9 +1,12 @@ "login" has "auth sufficient pam_self.so" but a screen locker is supposed to ask for password regardless. +pam_unix(8) requires root priveleges to access master.passwd(5), +so try authenticating via setuid helper first. + --- pam/swaylock.orig 2019-01-29 19:48:00 UTC +++ pam/swaylock -@@ -1,6 +1,6 @@ +@@ -1,6 +1,7 @@ # -# PAM configuration file for the swaylock screen locker. By default, it includes -# the 'login' configuration file (see /etc/pam.d/login) @@ -12,4 +15,5 @@ supposed to ask for password regardless. # -auth include login ++auth sufficient pam_exec.so return_prog_exit_status expose_authtok /usr/local/libexec/unix-selfauth-helper +auth include system