diff options
-rw-r--r-- | desktop/i3lock/README | 6 | ||||
-rw-r--r-- | desktop/i3lock/i3lock-2.10-no-pam.patch | 364 | ||||
-rw-r--r-- | desktop/i3lock/i3lock.SlackBuild | 16 | ||||
-rw-r--r-- | desktop/i3lock/i3lock.info | 8 |
4 files changed, 12 insertions, 382 deletions
diff --git a/desktop/i3lock/README b/desktop/i3lock/README index 7f1042d03164b..244dbff8ebdba 100644 --- a/desktop/i3lock/README +++ b/desktop/i3lock/README @@ -1,7 +1 @@ i3lock is a simple screen locker like slock. - -This SlackBuild patches i3lock to not to use PAM, and is as such -usable in Slackware. For verifying the password it uses shadow -instead. Because of that, it needs suid permissions, but those -privileges are dropped as soon as possible. The code for this was -taken from slock. See the patch and LICENSE-slock. diff --git a/desktop/i3lock/i3lock-2.10-no-pam.patch b/desktop/i3lock/i3lock-2.10-no-pam.patch deleted file mode 100644 index 0b119114c595f..0000000000000 --- a/desktop/i3lock/i3lock-2.10-no-pam.patch +++ /dev/null @@ -1,364 +0,0 @@ -+++ LICENSE-slock -@@ -0,0 +1,24 @@ -+MIT/X Consortium License -+ -+© 2015-2016 Markus Teich <markus.teich@stusta.mhn.de> -+© 2014 Dimitris Papastamos <sin@2f30.org> -+© 2006-2014 Anselm R Garbe <anselm@garbe.us> -+© 2014-2016 Laslo Hunhold <dev@frign.de> -+ -+Permission is hereby granted, free of charge, to any person obtaining a -+copy of this software and associated documentation files (the "Software"), -+to deal in the Software without restriction, including without limitation -+the rights to use, copy, modify, merge, publish, distribute, sublicense, -+and/or sell copies of the Software, and to permit persons to whom the -+Software is furnished to do so, subject to the following conditions: -+ -+The above copyright notice and this permission notice shall be included in -+all copies or substantial portions of the Software. -+ -+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER -+DEALINGS IN THE SOFTWARE. -+++ Makefile -@@ -22,7 +22,7 @@ - - # OpenBSD lacks PAM, use bsd_auth(3) instead. - ifneq ($(UNAME),OpenBSD) -- LIBS += -lpam -+ LIBS += -lcrypt - endif - - FILES:=$(wildcard *.c) -@@ -50,9 +50,7 @@ - - install: all - $(INSTALL) -d $(DESTDIR)$(PREFIX)/bin -- $(INSTALL) -d $(DESTDIR)$(SYSCONFDIR)/pam.d - $(INSTALL) -m 755 i3lock $(DESTDIR)$(PREFIX)/bin/i3lock -- $(INSTALL) -m 644 i3lock.pam $(DESTDIR)$(SYSCONFDIR)/pam.d/i3lock - - uninstall: - rm -f $(DESTDIR)$(PREFIX)/bin/i3lock -@@ -61,7 +59,7 @@ - [ ! -d i3lock-${VERSION} ] || rm -rf i3lock-${VERSION} - [ ! -e i3lock-${VERSION}.tar.bz2 ] || rm i3lock-${VERSION}.tar.bz2 - mkdir i3lock-${VERSION} -- cp *.c *.h i3lock.1 i3lock.pam Makefile LICENSE README.md CHANGELOG i3lock-${VERSION} -+ cp *.c *.h i3lock.1 Makefile LICENSE README.md CHANGELOG i3lock-${VERSION} - sed -e 's/^\s*I3LOCK_VERSION:=\(.*\)/I3LOCK_VERSION:=$(shell /bin/echo '${I3LOCK_VERSION}' | sed 's/\\/\\\\/g')/g;s/^VERSION:=\(.*\)/VERSION:=${VERSION}/g' Makefile > i3lock-${VERSION}/Makefile - tar cfj i3lock-${VERSION}.tar.bz2 i3lock-${VERSION} - rm -rf i3lock-${VERSION} -+++ i3lock.1 -@@ -43,8 +43,6 @@ - You can specify either a background color or a PNG image which will be displayed while your screen is locked. - .IP \[bu] - You can specify whether i3lock should bell upon a wrong password. --.IP \[bu] --i3lock uses PAM and therefore is compatible with LDAP, etc. - - - .SH OPTIONS -@@ -66,8 +64,7 @@ - .B \-u, \-\-no-unlock-indicator - Disable the unlock indicator. i3lock will by default show an unlock indicator - after pressing keys. This will give feedback for every keypress and it will --show you the current PAM state (whether your password is currently being --verified or whether it is wrong). -+show you whether your password is currently being verified or whether it is wrong. - - .TP - .BI \-i\ path \fR,\ \fB\-\-image= path -@@ -95,7 +92,7 @@ - .TP - .B \-e, \-\-ignore-empty-password - When an empty password is provided by the user, do not validate --it. Without this option, the empty password will be provided to PAM -+it. Without this option, the empty password will be validated - and, if invalid, the user will have to wait a few seconds before - another try. This can be useful if the XF86ScreenSaver key is used to - put a laptop to sleep and bounce on resume or if you happen to wake up -+++ i3lock.c -@@ -21,7 +21,9 @@ - #ifdef __OpenBSD__ - #include <bsd_auth.h> - #else --#include <security/pam_appl.h> -+#include <shadow.h> -+#include <grp.h> -+#include <errno.h> - #endif - #include <getopt.h> - #include <string.h> -@@ -59,7 +61,7 @@ - xcb_window_t win; - static xcb_cursor_t cursor; - #ifndef __OpenBSD__ --static pam_handle_t *pam_handle; -+const char *hash = NULL; - #endif - int input_position = 0; - /* Holds the password you enter (in UTF-8). */ -@@ -93,6 +95,37 @@ - bool ignore_empty_password = false; - bool skip_repeated_empty_password = false; - -+/* -+ * Shamelessly stolen from slock. See LICENSE-slock. -+ * This adjusts the process' out of memory score, -+ * so it isn't killed by the kernel under any circumstances. -+ */ -+#ifdef __linux__ -+#include <fcntl.h> -+#include <linux/oom.h> -+ -+static void -+dontkillme(void) -+{ -+ FILE *f; -+ const char oomfile[] = "/proc/self/oom_score_adj"; -+ -+ if (!(f = fopen(oomfile, "w"))) { -+ if (errno == ENOENT) -+ return; -+ errx(EXIT_FAILURE, "fopen %s: %s", oomfile, strerror(errno)); -+ } -+ fprintf(f, "%d", OOM_SCORE_ADJ_MIN); -+ if (fclose(f)) { -+ if (errno == EACCES) -+ errx(EXIT_FAILURE, "unable to disable OOM killer. " -+ "Make sure to suid or sgid i3lock."); -+ else -+ errx(EXIT_FAILURE, "fclose %s: %s", oomfile, strerror(errno)); -+ } -+} -+#endif -+ - /* isutf, u8_dec © 2005 Jeff Bezanson, public domain */ - #define isutf(c) (((c)&0xC0) != 0x80) - -@@ -285,16 +318,16 @@ - return; - } - #else -- if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) { -- DEBUG("successfully authenticated\n"); -- clear_password_memory(); -+ /* -+ * Shamelessly stolen from slock. See LICENSE-slock. -+ */ -+ char *inputhash; - -- /* PAM credentials should be refreshed, this will for example update any kerberos tickets. -- * Related to credentials pam_end() needs to be called to cleanup any temporary -- * credentials like kerberos /tmp/krb5cc_pam_* files which may of been left behind if the -- * refresh of the credentials failed. */ -- pam_setcred(pam_handle, PAM_REFRESH_CRED); -- pam_end(pam_handle, PAM_SUCCESS); -+ if (!(inputhash = crypt(password, hash))) -+ fprintf(stderr, "crypt: %s", strerror(errno)); -+ else if (!strcmp(inputhash, hash)) { -+ DEBUG("successfully authenticated"); -+ clear_password_memory(); - - ev_break(EV_DEFAULT, EVBREAK_ALL); - return; -@@ -626,39 +659,6 @@ - redraw_screen(); - } - --#ifndef __OpenBSD__ --/* -- * Callback function for PAM. We only react on password request callbacks. -- * -- */ --static int conv_callback(int num_msg, const struct pam_message **msg, -- struct pam_response **resp, void *appdata_ptr) { -- if (num_msg == 0) -- return 1; -- -- /* PAM expects an array of responses, one for each message */ -- if ((*resp = calloc(num_msg, sizeof(struct pam_response))) == NULL) { -- perror("calloc"); -- return 1; -- } -- -- for (int c = 0; c < num_msg; c++) { -- if (msg[c]->msg_style != PAM_PROMPT_ECHO_OFF && -- msg[c]->msg_style != PAM_PROMPT_ECHO_ON) -- continue; -- -- /* return code is currently not used but should be set to zero */ -- resp[c]->resp_retcode = 0; -- if ((resp[c]->resp = strdup(password)) == NULL) { -- perror("strdup"); -- return 1; -- } -- } -- -- return 0; --} --#endif -- - /* - * This callback is only a dummy, see xcb_prepare_cb and xcb_check_cb. - * See also man libev(3): "ev_prepare" and "ev_check" - customise your event loop -@@ -766,13 +766,15 @@ - * - */ - static void raise_loop(xcb_window_t window) { -- xcb_connection_t *conn; - xcb_generic_event_t *event; -- int screens; - -- if ((conn = xcb_connect(NULL, &screens)) == NULL || -+#ifdef __OpenBSD__ -+ xcb_connection_t *conn; -+ -+ if ((conn = xcb_connect(NULL, NULL)) == NULL || - xcb_connection_has_error(conn)) - errx(EXIT_FAILURE, "Cannot open display\n"); -+#endif - - /* We need to know about the window being obscured or getting destroyed. */ - xcb_change_window_attributes(conn, window, XCB_CW_EVENT_MASK, -@@ -820,8 +822,11 @@ - char *username; - char *image_path = NULL; - #ifndef __OpenBSD__ -- int ret; -- struct pam_conv conv = {conv_callback, NULL}; -+ struct passwd *pwd; -+ struct group *grp; -+ uid_t duid; -+ gid_t dgid; -+ xcb_connection_t *raise_conn; - #endif - int curs_choice = CURS_NONE; - int o; -@@ -848,6 +853,65 @@ - if ((username = pw->pw_name) == NULL) - errx(EXIT_FAILURE, "pw->pw_name is NULL.\n"); - -+#ifndef __OpenBSD__ -+ /* -+ * Shamelessly stolen from slock. See LICENSE-slock. -+ * -+ * Slock has code to make it run as nobody:nogroup, which has the added -+ * security that the locker can only be killed by root. -+ * It causes problems with the xcb_connect in raise_loop, and the main -+ * xcb_connect, however. -+ * Because of that, both xcb_connect are ran as root, before dropping the -+ * privileges to the user, much like is being done with XOpenDisplay -+ * in slock. -+ * I'm unsure of any security implications that may have, as it seems to -+ * run fine, otherwise. -+ * Please contact me if it's something I _really_ shouldn't do. -+ */ -+ -+ /* If the nobody:nogroup don't exist, just use the password's user */ -+ duid = pw->pw_uid; -+ if ((pwd = getpwnam("nobody"))) -+ duid = pwd->pw_uid; -+ dgid = pw->pw_gid; -+ if ((grp = getgrnam("nogroup"))) -+ dgid = grp->gr_gid; -+ -+#ifdef __linux__ -+ dontkillme(); -+#endif -+ -+ hash = pw->pw_passwd; -+ -+ if (!strcmp(hash, "x")) { -+ struct spwd *sp; -+ if (!(sp = getspnam(pw->pw_name))) -+ errx(EXIT_FAILURE, "getspnam: cannot retrieve shadow entry. " -+ "Make sure to suid or sgid i3lock."); -+ hash = sp->sp_pwdp; -+ } -+ -+ errno = 0; -+ if (!crypt("", hash)) -+ errx(EXIT_FAILURE, "crypt: %s", strerror(errno)); -+ -+ /* Create the necessary connections before dropping privileges */ -+ if ((conn = xcb_connect(NULL, NULL)) == NULL || -+ xcb_connection_has_error(conn)) -+ errx(EXIT_FAILURE, "Could not connect to X11, maybe you need to set DISPLAY?"); -+ if ((raise_conn = xcb_connect(NULL, NULL)) == NULL || -+ xcb_connection_has_error(raise_conn)) -+ errx(EXIT_FAILURE, "Cannot open display\n"); -+ -+ /* drop privileges */ -+ if (setgroups(0, NULL) < 0) -+ errx(EXIT_FAILURE, "setgroups: %s", strerror(errno)); -+ if (setgid(dgid) < 0) -+ errx(EXIT_FAILURE, "setgid: %s", strerror(errno)); -+ if (setuid(duid) < 0) -+ errx(EXIT_FAILURE, "setuid: %s", strerror(errno)); -+#endif -+ - char *optstring = "hvnbdc:p:ui:teI:f"; - while ((o = getopt_long(argc, argv, optstring, longopts, &longoptind)) != -1) { - switch (o) { -@@ -916,15 +980,6 @@ - * the unlock indicator upon keypresses. */ - srand(time(NULL)); - --#ifndef __OpenBSD__ -- /* Initialize PAM */ -- if ((ret = pam_start("i3lock", username, &conv, &pam_handle)) != PAM_SUCCESS) -- errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret)); -- -- if ((ret = pam_set_item(pam_handle, PAM_TTY, getenv("DISPLAY"))) != PAM_SUCCESS) -- errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret)); --#endif -- - /* Using mlock() as non-super-user seems only possible in Linux. - * Users of other operating systems should use encrypted swap/no swap - * (or remove the ifdef and run i3lock as super-user). -@@ -938,11 +993,12 @@ - err(EXIT_FAILURE, "Could not lock page in memory, check RLIMIT_MEMLOCK"); - #endif - -+#ifdef __OpenBSD__ - /* Double checking that connection is good and operatable with xcb */ -- int screennr; -- if ((conn = xcb_connect(NULL, &screennr)) == NULL || -+ if ((conn = xcb_connect(NULL, NULL)) == NULL || - xcb_connection_has_error(conn)) - errx(EXIT_FAILURE, "Could not connect to X11, maybe you need to set DISPLAY?"); -+#endif - - if (xkb_x11_setup_xkb_extension(conn, - XKB_X11_MIN_MAJOR_XKB_VERSION, -@@ -1056,10 +1112,16 @@ - if (pid == 0) { - /* Child */ - close(xcb_get_file_descriptor(conn)); -+#ifndef __OpenBSD__ -+ conn = raise_conn; -+#endif - maybe_close_sleep_lock_fd(); - raise_loop(win); - exit(EXIT_SUCCESS); - } -+#ifndef __OpenBSD__ -+ close(xcb_get_file_descriptor(raise_conn)); -+#endif - - /* Load the keymap again to sync the current modifier state. Since we first - * loaded the keymap, there might have been changes, but starting from now, -+++ i3lock.pam -@@ -1,6 +0,0 @@ --# --# PAM configuration file for the i3lock screen locker. By default, it includes --# the 'login' configuration file (see /etc/pam.d/login) --# -- --auth include login diff --git a/desktop/i3lock/i3lock.SlackBuild b/desktop/i3lock/i3lock.SlackBuild index 6574a0f429739..538f6b5e804fa 100644 --- a/desktop/i3lock/i3lock.SlackBuild +++ b/desktop/i3lock/i3lock.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PRGNAM=i3lock -VERSION=${VERSION:-2.10} +VERSION=${VERSION:-2.13} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} PKGTYPE=${PKGTYPE:-tgz} @@ -79,9 +79,12 @@ find -L . \ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; -# This patch removes all the PAM-related code, -# and checks the password against shadow instead. -patch -p0 -i $CWD/i3lock-2.10-no-pam.patch +autoreconf --force --install +./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --disable-sanitizers \ + --mandir=/usr/man make install DESTDIR=$PKG @@ -98,14 +101,11 @@ chmod 4751 $PKG/usr/bin/i3lock find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true -# Install the manpage -install -Dm644 i3lock.1 $PKG/usr/man/man1/i3lock.1 - find $PKG/usr/man -type f -exec gzip -9 {} \; for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION -cp -a CHANGELOG LICENSE LICENSE-slock README.md $PKG/usr/doc/$PRGNAM-$VERSION +cp -a CHANGELOG LICENSE README.md $PKG/usr/doc/$PRGNAM-$VERSION cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild mkdir -p $PKG/install diff --git a/desktop/i3lock/i3lock.info b/desktop/i3lock/i3lock.info index 3451213578df5..c74a08c78443d 100644 --- a/desktop/i3lock/i3lock.info +++ b/desktop/i3lock/i3lock.info @@ -1,10 +1,10 @@ PRGNAM="i3lock" -VERSION="2.10" +VERSION="2.13" HOMEPAGE="https://i3wm.org/i3lock/" -DOWNLOAD="https://i3wm.org/i3lock/i3lock-2.10.tar.bz2" -MD5SUM="a496ec274c2f75bbefaa088c4d18ec85" +DOWNLOAD="https://i3wm.org/i3lock/i3lock-2.13.tar.bz2" +MD5SUM="a10993d6cd409d980f78a4a376885f1b" DOWNLOAD_x86_64="" MD5SUM_x86_64="" -REQUIRES="libev" +REQUIRES="libev xcb-util-xrm" MAINTAINER="mid-kid" EMAIL="esteve.varela@gmail.com" |