git: b9050914a875 - main - i3lock: remove the setuid bit
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 12 Jul 2023 07:26:56 UTC
The branch main has been updated by bapt:
URL: https://cgit.FreeBSD.org/ports/commit/?id=b9050914a87578a38b52ad197cbbb34574eb03e7
commit b9050914a87578a38b52ad197cbbb34574eb03e7
Author: Baptiste Daroussin <bapt@FreeBSD.org>
AuthorDate: 2023-07-12 07:24:06 +0000
Commit: Baptiste Daroussin <bapt@FreeBSD.org>
CommitDate: 2023-07-12 07:26:55 +0000
i3lock: remove the setuid bit
Following swaylock example, by using unix-selfauth-helper and pam_exec
we can avoid requiring setuid bit on i3lock.
Reported by: Mateusz Kocielski <shm@digitalsun.pl>
---
deskutils/i3lock/Makefile | 11 +++++++++--
deskutils/i3lock/files/i3lock.pam.in | 7 +++++++
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/deskutils/i3lock/Makefile b/deskutils/i3lock/Makefile
index 78a0426807db..a269e22cd3cc 100644
--- a/deskutils/i3lock/Makefile
+++ b/deskutils/i3lock/Makefile
@@ -1,5 +1,6 @@
PORTNAME= i3lock
PORTVERSION= 2.13
+PORTREVISION= 1
CATEGORIES= deskutils x11
MASTER_SITES= http://i3wm.org/${PORTNAME}/
@@ -19,12 +20,17 @@ LIB_DEPENDS= libcairo.so:graphics/cairo \
libxcb-util.so:x11/xcb-util \
libxcb-xrm.so:x11/xcb-util-xrm
+RUN_DEPENDS= unix-selfauth-helper>0:security/unix-selfauth-helper
+
MAKE_ARGS= PREFIX="${PREFIX}" X11LIB="${LOCALBASE}/lib" \
X11INC="${LOCALBASE}/include" CC="${CC}" \
MANDIR="${MANPREFIX}/man"
-PLIST_FILES= "@(,,4755) bin/i3lock" \
- man/man1/i3lock.1.gz
+PLIST_FILES= bin/i3lock \
+ man/man1/i3lock.1.gz \
+ etc/pam.d/i3lock
+
+SUB_FILES= i3lock.pam
USES= gmake iconv localbase pkgconfig tar:bzip2 xorg
LDFLAGS+= ${ICONV_LIB}
@@ -41,6 +47,7 @@ OPTIONS_DEFINE= DOCS
post-install:
@${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/i3lock
@${RM} ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock
+ @${INSTALL_DATA} ${WRKDIR}/i3lock.pam ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock
post-install-DOCS-on:
@${MKDIR} ${STAGEDIR}${DOCSDIR}
diff --git a/deskutils/i3lock/files/i3lock.pam.in b/deskutils/i3lock/files/i3lock.pam.in
new file mode 100644
index 000000000000..942be88359ac
--- /dev/null
+++ b/deskutils/i3lock/files/i3lock.pam.in
@@ -0,0 +1,7 @@
+#
+# PAM configuration for the "i3lock" service. i3lock(1) only uses
+# auth facilities.
+#
+
+auth sufficient pam_exec.so return_prog_exit_status expose_authtok %%LOCALBASE%%/libexec/unix-selfauth-helper
+auth include system