aboutsummaryrefslogtreecommitdiff
path: root/desktop/i3lock/i3lock-2.9-no-pam.patch
diff options
context:
space:
mode:
Diffstat (limited to 'desktop/i3lock/i3lock-2.9-no-pam.patch')
-rw-r--r--desktop/i3lock/i3lock-2.9-no-pam.patch296
1 files changed, 296 insertions, 0 deletions
diff --git a/desktop/i3lock/i3lock-2.9-no-pam.patch b/desktop/i3lock/i3lock-2.9-no-pam.patch
new file mode 100644
index 000000000000..8fd5a30b7e28
--- /dev/null
+++ b/desktop/i3lock/i3lock-2.9-no-pam.patch
@@ -0,0 +1,296 @@
++++ LICENSE-slock
+@@ -0,0 +1,24 @@
++MIT/X Consortium License
++
++© 2015-2016 Markus Teich <markus.teich@stusta.mhn.de>
++© 2014 Dimitris Papastamos <sin@2f30.org>
++© 2006-2014 Anselm R Garbe <anselm@garbe.us>
++© 2014-2016 Laslo Hunhold <dev@frign.de>
++
++Permission is hereby granted, free of charge, to any person obtaining a
++copy of this software and associated documentation files (the "Software"),
++to deal in the Software without restriction, including without limitation
++the rights to use, copy, modify, merge, publish, distribute, sublicense,
++and/or sell copies of the Software, and to permit persons to whom the
++Software is furnished to do so, subject to the following conditions:
++
++The above copyright notice and this permission notice shall be included in
++all copies or substantial portions of the Software.
++
++THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
++DEALINGS IN THE SOFTWARE.
++++ Makefile
+@@ -20,9 +20,9 @@
+ LIBS += -lev
+ LIBS += -lm
+
+-# OpenBSD lacks PAM, use bsd_auth(3) instead.
++# On OpenBSD we use bsd_auth(3) instead.
+ ifneq ($(UNAME),OpenBSD)
+- LIBS += -lpam
++ LIBS += -lcrypt
+ endif
+
+ FILES:=$(wildcard *.c)
+@@ -50,9 +50,7 @@
+
+ install: all
+ $(INSTALL) -d $(DESTDIR)$(PREFIX)/bin
+- $(INSTALL) -d $(DESTDIR)$(SYSCONFDIR)/pam.d
+ $(INSTALL) -m 755 i3lock $(DESTDIR)$(PREFIX)/bin/i3lock
+- $(INSTALL) -m 644 i3lock.pam $(DESTDIR)$(SYSCONFDIR)/pam.d/i3lock
+
+ uninstall:
+ rm -f $(DESTDIR)$(PREFIX)/bin/i3lock
+@@ -61,7 +59,7 @@
+ [ ! -d i3lock-${VERSION} ] || rm -rf i3lock-${VERSION}
+ [ ! -e i3lock-${VERSION}.tar.bz2 ] || rm i3lock-${VERSION}.tar.bz2
+ mkdir i3lock-${VERSION}
+- cp *.c *.h i3lock.1 i3lock.pam Makefile LICENSE README.md CHANGELOG i3lock-${VERSION}
++ cp *.c *.h i3lock.1 Makefile LICENSE README.md CHANGELOG i3lock-${VERSION}
+ sed -e 's/^I3LOCK_VERSION:=\(.*\)/I3LOCK_VERSION:=$(shell /bin/echo '${I3LOCK_VERSION}' | sed 's/\\/\\\\/g')/g;s/^VERSION:=\(.*\)/VERSION:=${VERSION}/g' Makefile > i3lock-${VERSION}/Makefile
+ tar cfj i3lock-${VERSION}.tar.bz2 i3lock-${VERSION}
+ rm -rf i3lock-${VERSION}
++++ i3lock.1
+@@ -43,8 +43,6 @@
+ You can specify either a background color or a PNG image which will be displayed while your screen is locked.
+ .IP \[bu]
+ You can specify whether i3lock should bell upon a wrong password.
+-.IP \[bu]
+-i3lock uses PAM and therefore is compatible with LDAP, etc.
+
+
+ .SH OPTIONS
+@@ -66,8 +64,7 @@
+ .B \-u, \-\-no-unlock-indicator
+ Disable the unlock indicator. i3lock will by default show an unlock indicator
+ after pressing keys. This will give feedback for every keypress and it will
+-show you the current PAM state (whether your password is currently being
+-verified or whether it is wrong).
++show you whether your password is currently being verified or whether it is wrong.
+
+ .TP
+ .BI \-i\ path \fR,\ \fB\-\-image= path
+@@ -95,7 +92,7 @@
+ .TP
+ .B \-e, \-\-ignore-empty-password
+ When an empty password is provided by the user, do not validate
+-it. Without this option, the empty password will be provided to PAM
++it. Without this option, the empty password will be validated
+ and, if invalid, the user will have to wait a few seconds before
+ another try. This can be useful if the XF86ScreenSaver key is used to
+ put a laptop to sleep and bounce on resume or if you happen to wake up
++++ i3lock.c
+@@ -21,7 +21,9 @@
+ #ifdef __OpenBSD__
+ #include <bsd_auth.h>
+ #else
+-#include <security/pam_appl.h>
++#include <shadow.h>
++#include <grp.h>
++#include <errno.h>
+ #endif
+ #include <getopt.h>
+ #include <string.h>
+@@ -57,7 +59,7 @@
+ xcb_window_t win;
+ static xcb_cursor_t cursor;
+ #ifndef __OpenBSD__
+-static pam_handle_t *pam_handle;
++const char *hash = NULL;
+ #endif
+ int input_position = 0;
+ /* Holds the password you enter (in UTF-8). */
+@@ -90,6 +92,37 @@
+ bool ignore_empty_password = false;
+ bool skip_repeated_empty_password = false;
+
++/*
++ * Shamelessly stolen from slock. See LICENSE-slock.
++ * This adjusts the process' out of memory score,
++ * so it isn't killed by the kernel under any circumstances.
++ */
++#ifdef __linux__
++#include <fcntl.h>
++#include <linux/oom.h>
++
++static void
++dontkillme(void)
++{
++ FILE *f;
++ const char oomfile[] = "/proc/self/oom_score_adj";
++
++ if (!(f = fopen(oomfile, "w"))) {
++ if (errno == ENOENT)
++ return;
++ errx(EXIT_FAILURE, "i3lock: fopen %s: %s", oomfile, strerror(errno));
++ }
++ fprintf(f, "%d", OOM_SCORE_ADJ_MIN);
++ if (fclose(f)) {
++ if (errno == EACCES)
++ errx(EXIT_FAILURE, "i3lock: unable to disable OOM killer. "
++ "Make sure to suid or sgid i3lock.");
++ else
++ errx(EXIT_FAILURE, "i3lock: fclose %s: %s", oomfile, strerror(errno));
++ }
++}
++#endif
++
+ /* isutf, u8_dec © 2005 Jeff Bezanson, public domain */
+ #define isutf(c) (((c)&0xC0) != 0x80)
+
+@@ -281,16 +314,16 @@
+ exit(0);
+ }
+ #else
+- if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) {
+- DEBUG("successfully authenticated\n");
+- clear_password_memory();
++ /*
++ * Shamelessly stolen from slock. See LICENSE-slock.
++ */
++ char *inputhash;
+
+- /* PAM credentials should be refreshed, this will for example update any kerberos tickets.
+- * Related to credentials pam_end() needs to be called to cleanup any temporary
+- * credentials like kerberos /tmp/krb5cc_pam_* files which may of been left behind if the
+- * refresh of the credentials failed. */
+- pam_setcred(pam_handle, PAM_REFRESH_CRED);
+- pam_end(pam_handle, PAM_SUCCESS);
++ if (!(inputhash = crypt(password, hash)))
++ fprintf(stderr, "i3lock: crypt: %s", strerror(errno));
++ else if (!strcmp(inputhash, hash)) {
++ DEBUG("successfully authenticated");
++ clear_password_memory();
+
+ exit(0);
+ }
+@@ -626,39 +659,6 @@
+ redraw_screen();
+ }
+
+-#ifndef __OpenBSD__
+-/*
+- * Callback function for PAM. We only react on password request callbacks.
+- *
+- */
+-static int conv_callback(int num_msg, const struct pam_message **msg,
+- struct pam_response **resp, void *appdata_ptr) {
+- if (num_msg == 0)
+- return 1;
+-
+- /* PAM expects an array of responses, one for each message */
+- if ((*resp = calloc(num_msg, sizeof(struct pam_response))) == NULL) {
+- perror("calloc");
+- return 1;
+- }
+-
+- for (int c = 0; c < num_msg; c++) {
+- if (msg[c]->msg_style != PAM_PROMPT_ECHO_OFF &&
+- msg[c]->msg_style != PAM_PROMPT_ECHO_ON)
+- continue;
+-
+- /* return code is currently not used but should be set to zero */
+- resp[c]->resp_retcode = 0;
+- if ((resp[c]->resp = strdup(password)) == NULL) {
+- perror("strdup");
+- return 1;
+- }
+- }
+-
+- return 0;
+-}
+-#endif
+-
+ /*
+ * This callback is only a dummy, see xcb_prepare_cb and xcb_check_cb.
+ * See also man libev(3): "ev_prepare" and "ev_check" - customise your event loop
+@@ -813,10 +813,6 @@
+ struct passwd *pw;
+ char *username;
+ char *image_path = NULL;
+-#ifndef __OpenBSD__
+- int ret;
+- struct pam_conv conv = {conv_callback, NULL};
+-#endif
+ int curs_choice = CURS_NONE;
+ int o;
+ int optind = 0;
+@@ -842,6 +838,48 @@
+ if ((username = pw->pw_name) == NULL)
+ errx(EXIT_FAILURE, "pw->pw_name is NULL.\n");
+
++#ifndef __OpenBSD__
++ /*
++ * Shamelessly stolen from slock. See LICENSE-slock.
++ *
++ * Slock has code to make it run as nobody:nogroup, which has the added
++ * security that the locker can only be killed by root.
++ * It causes problems with the xcb_connect in raise_loop, however,
++ * and I'm not aware of any other methods to keep the calling user from
++ * killing the locker.
++ * This means that a malicious program running as your user
++ * could easily bypass your locker by killing it.
++ * However, if such a program even manages to be running, you're pretty
++ * screwed regardless.
++ */
++
++#ifdef __linux__
++ dontkillme();
++#endif
++
++ hash = pw->pw_passwd;
++
++ if (!strcmp(hash, "x")) {
++ struct spwd *sp;
++ if (!(sp = getspnam(pw->pw_name)))
++ errx(EXIT_FAILURE, "i3lock: getspnam: cannot retrieve shadow entry. "
++ "Make sure to suid or sgid i3lock.");
++ hash = sp->sp_pwdp;
++ }
++
++ errno = 0;
++ if (!crypt("", hash))
++ errx(EXIT_FAILURE, "i3lock: crypt: %s", strerror(errno));
++
++ /* drop privileges */
++ if (setgroups(0, NULL) < 0)
++ errx(EXIT_FAILURE, "i3lock: setgroups: %s", strerror(errno));
++ if (setgid(pw->pw_gid) < 0)
++ errx(EXIT_FAILURE, "i3lock: setgid: %s", strerror(errno));
++ if (setuid(pw->pw_uid) < 0)
++ errx(EXIT_FAILURE, "i3lock: setuid: %s", strerror(errno));
++#endif
++
+ char *optstring = "hvnbdc:p:ui:teI:f";
+ while ((o = getopt_long(argc, argv, optstring, longopts, &optind)) != -1) {
+ switch (o) {
+@@ -910,15 +948,6 @@
+ * the unlock indicator upon keypresses. */
+ srand(time(NULL));
+
+-#ifndef __OpenBSD__
+- /* Initialize PAM */
+- if ((ret = pam_start("i3lock", username, &conv, &pam_handle)) != PAM_SUCCESS)
+- errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
+-
+- if ((ret = pam_set_item(pam_handle, PAM_TTY, getenv("DISPLAY"))) != PAM_SUCCESS)
+- errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
+-#endif
+-
+ /* Using mlock() as non-super-user seems only possible in Linux.
+ * Users of other operating systems should use encrypted swap/no swap
+ * (or remove the ifdef and run i3lock as super-user).
++++ i3lock.pam
+@@ -1,6 +0,0 @@
+-#
+-# PAM configuration file for the i3lock screen locker. By default, it includes
+-# the 'login' configuration file (see /etc/pam.d/login)
+-#
+-
+-auth include login