aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--desktop/i3lock/i3lock-2.10-no-pam.patch (renamed from desktop/i3lock/i3lock-2.9.1-no-pam.patch)162
-rw-r--r--desktop/i3lock/i3lock.SlackBuild14
-rw-r--r--desktop/i3lock/i3lock.info6
3 files changed, 125 insertions, 57 deletions
diff --git a/desktop/i3lock/i3lock-2.9.1-no-pam.patch b/desktop/i3lock/i3lock-2.10-no-pam.patch
index fc3562776d03a..0b119114c595f 100644
--- a/desktop/i3lock/i3lock-2.9.1-no-pam.patch
+++ b/desktop/i3lock/i3lock-2.10-no-pam.patch
@@ -25,23 +25,16 @@
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+++ Makefile
-@@ -17,13 +17,12 @@
- CPPFLAGS += -D_GNU_SOURCE
- CFLAGS += $(shell $(PKG_CONFIG) --cflags cairo xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11)
- LIBS += $(shell $(PKG_CONFIG) --libs cairo xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11)
--LIBS += -lpam
- LIBS += -lev
- LIBS += -lm
+@@ -22,7 +22,7 @@
--# OpenBSD lacks PAM, use bsd_auth(3) instead.
-+# On OpenBSD we use bsd_auth(3) instead.
+ # OpenBSD lacks PAM, use bsd_auth(3) instead.
ifneq ($(UNAME),OpenBSD)
- LIBS += -lpam
+ LIBS += -lcrypt
endif
FILES:=$(wildcard *.c)
-@@ -51,9 +50,7 @@
+@@ -50,9 +50,7 @@
install: all
$(INSTALL) -d $(DESTDIR)$(PREFIX)/bin
@@ -51,7 +44,7 @@
uninstall:
rm -f $(DESTDIR)$(PREFIX)/bin/i3lock
-@@ -62,7 +59,7 @@
+@@ -61,7 +59,7 @@
[ ! -d i3lock-${VERSION} ] || rm -rf i3lock-${VERSION}
[ ! -e i3lock-${VERSION}.tar.bz2 ] || rm i3lock-${VERSION}.tar.bz2
mkdir i3lock-${VERSION}
@@ -101,7 +94,7 @@
#endif
#include <getopt.h>
#include <string.h>
-@@ -57,7 +59,7 @@
+@@ -59,7 +61,7 @@
xcb_window_t win;
static xcb_cursor_t cursor;
#ifndef __OpenBSD__
@@ -110,7 +103,7 @@
#endif
int input_position = 0;
/* Holds the password you enter (in UTF-8). */
-@@ -90,6 +92,37 @@
+@@ -93,6 +95,37 @@
bool ignore_empty_password = false;
bool skip_repeated_empty_password = false;
@@ -126,30 +119,30 @@
+static void
+dontkillme(void)
+{
-+ FILE *f;
-+ const char oomfile[] = "/proc/self/oom_score_adj";
++ FILE *f;
++ const char oomfile[] = "/proc/self/oom_score_adj";
+
-+ if (!(f = fopen(oomfile, "w"))) {
-+ if (errno == ENOENT)
-+ return;
-+ errx(EXIT_FAILURE, "fopen %s: %s", oomfile, strerror(errno));
-+ }
-+ fprintf(f, "%d", OOM_SCORE_ADJ_MIN);
-+ if (fclose(f)) {
-+ if (errno == EACCES)
-+ errx(EXIT_FAILURE, "unable to disable OOM killer. "
-+ "Make sure to suid or sgid i3lock.");
-+ else
-+ errx(EXIT_FAILURE, "fclose %s: %s", oomfile, strerror(errno));
-+ }
++ if (!(f = fopen(oomfile, "w"))) {
++ if (errno == ENOENT)
++ return;
++ errx(EXIT_FAILURE, "fopen %s: %s", oomfile, strerror(errno));
++ }
++ fprintf(f, "%d", OOM_SCORE_ADJ_MIN);
++ if (fclose(f)) {
++ if (errno == EACCES)
++ errx(EXIT_FAILURE, "unable to disable OOM killer. "
++ "Make sure to suid or sgid i3lock.");
++ else
++ errx(EXIT_FAILURE, "fclose %s: %s", oomfile, strerror(errno));
++ }
+}
+#endif
+
/* isutf, u8_dec © 2005 Jeff Bezanson, public domain */
#define isutf(c) (((c)&0xC0) != 0x80)
-@@ -281,16 +314,16 @@
- exit(0);
+@@ -285,16 +318,16 @@
+ return;
}
#else
- if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) {
@@ -172,8 +165,8 @@
+ DEBUG("successfully authenticated");
+ clear_password_memory();
- exit(0);
- }
+ ev_break(EV_DEFAULT, EVBREAK_ALL);
+ return;
@@ -626,39 +659,6 @@
redraw_screen();
}
@@ -214,18 +207,40 @@
/*
* This callback is only a dummy, see xcb_prepare_cb and xcb_check_cb.
* See also man libev(3): "ev_prepare" and "ev_check" - customise your event loop
-@@ -813,10 +813,6 @@
- struct passwd *pw;
+@@ -766,13 +766,15 @@
+ *
+ */
+ static void raise_loop(xcb_window_t window) {
+- xcb_connection_t *conn;
+ xcb_generic_event_t *event;
+- int screens;
+
+- if ((conn = xcb_connect(NULL, &screens)) == NULL ||
++#ifdef __OpenBSD__
++ xcb_connection_t *conn;
++
++ if ((conn = xcb_connect(NULL, NULL)) == NULL ||
+ xcb_connection_has_error(conn))
+ errx(EXIT_FAILURE, "Cannot open display\n");
++#endif
+
+ /* We need to know about the window being obscured or getting destroyed. */
+ xcb_change_window_attributes(conn, window, XCB_CW_EVENT_MASK,
+@@ -820,8 +822,11 @@
char *username;
char *image_path = NULL;
--#ifndef __OpenBSD__
+ #ifndef __OpenBSD__
- int ret;
- struct pam_conv conv = {conv_callback, NULL};
--#endif
++ struct passwd *pwd;
++ struct group *grp;
++ uid_t duid;
++ gid_t dgid;
++ xcb_connection_t *raise_conn;
+ #endif
int curs_choice = CURS_NONE;
int o;
- int optind = 0;
-@@ -842,6 +838,48 @@
+@@ -848,6 +853,65 @@
if ((username = pw->pw_name) == NULL)
errx(EXIT_FAILURE, "pw->pw_name is NULL.\n");
@@ -235,15 +250,24 @@
+ *
+ * Slock has code to make it run as nobody:nogroup, which has the added
+ * security that the locker can only be killed by root.
-+ * It causes problems with the xcb_connect in raise_loop, however,
-+ * and I'm not aware of any other methods to keep the calling user from
-+ * killing the locker.
-+ * This means that a malicious program running as your user
-+ * could easily bypass your locker by killing it.
-+ * However, if such a program even manages to be running, you're pretty
-+ * screwed regardless.
++ * It causes problems with the xcb_connect in raise_loop, and the main
++ * xcb_connect, however.
++ * Because of that, both xcb_connect are ran as root, before dropping the
++ * privileges to the user, much like is being done with XOpenDisplay
++ * in slock.
++ * I'm unsure of any security implications that may have, as it seems to
++ * run fine, otherwise.
++ * Please contact me if it's something I _really_ shouldn't do.
+ */
+
++ /* If the nobody:nogroup don't exist, just use the password's user */
++ duid = pw->pw_uid;
++ if ((pwd = getpwnam("nobody")))
++ duid = pwd->pw_uid;
++ dgid = pw->pw_gid;
++ if ((grp = getgrnam("nogroup")))
++ dgid = grp->gr_gid;
++
+#ifdef __linux__
+ dontkillme();
+#endif
@@ -262,19 +286,27 @@
+ if (!crypt("", hash))
+ errx(EXIT_FAILURE, "crypt: %s", strerror(errno));
+
++ /* Create the necessary connections before dropping privileges */
++ if ((conn = xcb_connect(NULL, NULL)) == NULL ||
++ xcb_connection_has_error(conn))
++ errx(EXIT_FAILURE, "Could not connect to X11, maybe you need to set DISPLAY?");
++ if ((raise_conn = xcb_connect(NULL, NULL)) == NULL ||
++ xcb_connection_has_error(raise_conn))
++ errx(EXIT_FAILURE, "Cannot open display\n");
++
+ /* drop privileges */
+ if (setgroups(0, NULL) < 0)
+ errx(EXIT_FAILURE, "setgroups: %s", strerror(errno));
-+ if (setgid(pw->pw_gid) < 0)
++ if (setgid(dgid) < 0)
+ errx(EXIT_FAILURE, "setgid: %s", strerror(errno));
-+ if (setuid(pw->pw_uid) < 0)
++ if (setuid(duid) < 0)
+ errx(EXIT_FAILURE, "setuid: %s", strerror(errno));
+#endif
+
char *optstring = "hvnbdc:p:ui:teI:f";
- while ((o = getopt_long(argc, argv, optstring, longopts, &optind)) != -1) {
+ while ((o = getopt_long(argc, argv, optstring, longopts, &longoptind)) != -1) {
switch (o) {
-@@ -910,15 +948,6 @@
+@@ -916,15 +980,6 @@
* the unlock indicator upon keypresses. */
srand(time(NULL));
@@ -290,6 +322,38 @@
/* Using mlock() as non-super-user seems only possible in Linux.
* Users of other operating systems should use encrypted swap/no swap
* (or remove the ifdef and run i3lock as super-user).
+@@ -938,11 +993,12 @@
+ err(EXIT_FAILURE, "Could not lock page in memory, check RLIMIT_MEMLOCK");
+ #endif
+
++#ifdef __OpenBSD__
+ /* Double checking that connection is good and operatable with xcb */
+- int screennr;
+- if ((conn = xcb_connect(NULL, &screennr)) == NULL ||
++ if ((conn = xcb_connect(NULL, NULL)) == NULL ||
+ xcb_connection_has_error(conn))
+ errx(EXIT_FAILURE, "Could not connect to X11, maybe you need to set DISPLAY?");
++#endif
+
+ if (xkb_x11_setup_xkb_extension(conn,
+ XKB_X11_MIN_MAJOR_XKB_VERSION,
+@@ -1056,10 +1112,16 @@
+ if (pid == 0) {
+ /* Child */
+ close(xcb_get_file_descriptor(conn));
++#ifndef __OpenBSD__
++ conn = raise_conn;
++#endif
+ maybe_close_sleep_lock_fd();
+ raise_loop(win);
+ exit(EXIT_SUCCESS);
+ }
++#ifndef __OpenBSD__
++ close(xcb_get_file_descriptor(raise_conn));
++#endif
+
+ /* Load the keymap again to sync the current modifier state. Since we first
+ * loaded the keymap, there might have been changes, but starting from now,
+++ i3lock.pam
@@ -1,6 +0,0 @@
-#
diff --git a/desktop/i3lock/i3lock.SlackBuild b/desktop/i3lock/i3lock.SlackBuild
index 5fa35477e646d..9993dee116103 100644
--- a/desktop/i3lock/i3lock.SlackBuild
+++ b/desktop/i3lock/i3lock.SlackBuild
@@ -23,7 +23,7 @@
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PRGNAM=i3lock
-VERSION=${VERSION:-2.9.1}
+VERSION=${VERSION:-2.10}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
@@ -71,15 +71,19 @@ find -L . \
# This patch removes all the PAM-related code,
# and checks the password against shadow instead.
-patch -p0 -i $CWD/i3lock-2.9.1-no-pam.patch
+patch -p0 -i $CWD/i3lock-2.10-no-pam.patch
make install DESTDIR=$PKG
# i3lock needs setuid to make sure it isn't killed by the kernel and to read shadow.
# Don't worry, the privileges are dropped really soon after starting
-# and everything else runs as your user.
-chown root:shadow $PKG/usr/bin/i3lock
-chmod 4755 $PKG/usr/bin/i3lock
+# and everything else runs without privileges.
+chown 0.0 $PKG/usr/bin/i3lock
+chmod 4751 $PKG/usr/bin/i3lock
+# We need setuid to set the out of memory score, and drop permissions once done.
+# This makes the program's init slightly more insecure, since we'd only need
+# setgid to change the group to shadow to read the password, otherwise.
+# In fact, both Slackware's xlock and xscreensaver use (root.shadow 2751) as permissions.
find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
diff --git a/desktop/i3lock/i3lock.info b/desktop/i3lock/i3lock.info
index 7c1ec8ee420d7..a8d35e91c425f 100644
--- a/desktop/i3lock/i3lock.info
+++ b/desktop/i3lock/i3lock.info
@@ -1,8 +1,8 @@
PRGNAM="i3lock"
-VERSION="2.9.1"
+VERSION="2.10"
HOMEPAGE="https://i3wm.org/i3lock/"
-DOWNLOAD="https://i3wm.org/i3lock/i3lock-2.9.1.tar.bz2"
-MD5SUM="2983fff62236d54687dc7d51a6895edb"
+DOWNLOAD="https://i3wm.org/i3lock/i3lock-2.10.tar.bz2"
+MD5SUM="a496ec274c2f75bbefaa088c4d18ec85"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
REQUIRES="libev libxkbcommon"