diff options
Diffstat (limited to 'desktop')
-rw-r--r-- | desktop/i3lock/README | 4 | ||||
-rw-r--r-- | desktop/i3lock/i3lock-2.9-no-pam.patch (renamed from desktop/i3lock/i3lock-2.8-no-pam.patch) | 219 | ||||
-rw-r--r-- | desktop/i3lock/i3lock-2.9-revert-composite.patch | 71 | ||||
-rw-r--r-- | desktop/i3lock/i3lock.SlackBuild | 14 | ||||
-rw-r--r-- | desktop/i3lock/i3lock.info | 6 | ||||
-rw-r--r-- | desktop/i3lock/slack-desc | 2 |
6 files changed, 211 insertions, 105 deletions
diff --git a/desktop/i3lock/README b/desktop/i3lock/README index adf8e935d1701..edb2337c8c4a8 100644 --- a/desktop/i3lock/README +++ b/desktop/i3lock/README @@ -5,3 +5,7 @@ Slackware. For verifying the password it uses shadow instead. Because of that, it needs suid permissions, but those privileges are dropped as soon as possible. The code for this was taken from slock. See the patch and LICENSE-slock. + +NOTE: Version 2.9-1_SBo is patched to revert this commit: +https://github.com/i3/i3lock/commit/80d4452ec680bcb0e57418f69d44d88ded82047c +See the SlackBuild for more info. diff --git a/desktop/i3lock/i3lock-2.8-no-pam.patch b/desktop/i3lock/i3lock-2.9-no-pam.patch index 665744f1cb098..8fd5a30b7e282 100644 --- a/desktop/i3lock/i3lock-2.8-no-pam.patch +++ b/desktop/i3lock/i3lock-2.9-no-pam.patch @@ -1,6 +1,4 @@ -diff -Nur i3lock-2.8-orig/LICENSE-slock i3lock-2.8/LICENSE-slock ---- i3lock-2.8-orig/LICENSE-slock 1970-01-01 01:00:00.000000000 +0100 -+++ i3lock-2.8/LICENSE-slock 2016-08-27 11:24:24.067880341 +0200 ++++ LICENSE-slock @@ -0,0 +1,24 @@ +MIT/X Consortium License + @@ -26,19 +24,20 @@ diff -Nur i3lock-2.8-orig/LICENSE-slock i3lock-2.8/LICENSE-slock +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. -diff -Nur i3lock-2.8-orig/Makefile i3lock-2.8/Makefile ---- i3lock-2.8-orig/Makefile 2016-08-27 11:24:15.313880708 +0200 -+++ i3lock-2.8/Makefile 2016-08-27 11:24:24.067880341 +0200 -@@ -14,7 +14,7 @@ - CPPFLAGS += -D_GNU_SOURCE - CFLAGS += $(shell $(PKG_CONFIG) --cflags cairo xcb-dpms xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11) - LIBS += $(shell $(PKG_CONFIG) --libs cairo xcb-dpms xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11) --LIBS += -lpam -+LIBS += -lcrypt ++++ Makefile +@@ -20,9 +20,9 @@ LIBS += -lev LIBS += -lm -@@ -37,9 +37,7 @@ +-# OpenBSD lacks PAM, use bsd_auth(3) instead. ++# On OpenBSD we use bsd_auth(3) instead. + ifneq ($(UNAME),OpenBSD) +- LIBS += -lpam ++ LIBS += -lcrypt + endif + + FILES:=$(wildcard *.c) +@@ -50,9 +50,7 @@ install: all $(INSTALL) -d $(DESTDIR)$(PREFIX)/bin @@ -48,10 +47,17 @@ diff -Nur i3lock-2.8-orig/Makefile i3lock-2.8/Makefile uninstall: rm -f $(DESTDIR)$(PREFIX)/bin/i3lock -diff -Nur i3lock-2.8-orig/i3lock.1 i3lock-2.8/i3lock.1 ---- i3lock-2.8-orig/i3lock.1 2016-08-27 11:24:15.313880708 +0200 -+++ i3lock-2.8/i3lock.1 2016-08-27 11:25:01.863878761 +0200 -@@ -45,8 +45,6 @@ +@@ -61,7 +59,7 @@ + [ ! -d i3lock-${VERSION} ] || rm -rf i3lock-${VERSION} + [ ! -e i3lock-${VERSION}.tar.bz2 ] || rm i3lock-${VERSION}.tar.bz2 + mkdir i3lock-${VERSION} +- cp *.c *.h i3lock.1 i3lock.pam Makefile LICENSE README.md CHANGELOG i3lock-${VERSION} ++ cp *.c *.h i3lock.1 Makefile LICENSE README.md CHANGELOG i3lock-${VERSION} + sed -e 's/^I3LOCK_VERSION:=\(.*\)/I3LOCK_VERSION:=$(shell /bin/echo '${I3LOCK_VERSION}' | sed 's/\\/\\\\/g')/g;s/^VERSION:=\(.*\)/VERSION:=${VERSION}/g' Makefile > i3lock-${VERSION}/Makefile + tar cfj i3lock-${VERSION}.tar.bz2 i3lock-${VERSION} + rm -rf i3lock-${VERSION} ++++ i3lock.1 +@@ -43,8 +43,6 @@ You can specify either a background color or a PNG image which will be displayed while your screen is locked. .IP \[bu] You can specify whether i3lock should bell upon a wrong password. @@ -60,57 +66,47 @@ diff -Nur i3lock-2.8-orig/i3lock.1 i3lock-2.8/i3lock.1 .SH OPTIONS -@@ -75,7 +73,7 @@ +@@ -66,8 +64,7 @@ .B \-u, \-\-no-unlock-indicator Disable the unlock indicator. i3lock will by default show an unlock indicator after pressing keys. This will give feedback for every keypress and it will -show you the current PAM state (whether your password is currently being -+show you the current state (whether your password is currently being - verified or whether it is wrong). +-verified or whether it is wrong). ++show you whether your password is currently being verified or whether it is wrong. .TP -@@ -104,7 +102,7 @@ + .BI \-i\ path \fR,\ \fB\-\-image= path +@@ -95,7 +92,7 @@ .TP .B \-e, \-\-ignore-empty-password When an empty password is provided by the user, do not validate -it. Without this option, the empty password will be provided to PAM -+it. Without this option, the empty password will be checked ++it. Without this option, the empty password will be validated and, if invalid, the user will have to wait a few seconds before another try. This can be useful if the XF86ScreenSaver key is used to put a laptop to sleep and bounce on resume or if you happen to wake up -diff -Nur i3lock-2.8-orig/i3lock.c i3lock-2.8/i3lock.c ---- i3lock-2.8-orig/i3lock.c 2016-08-27 11:24:15.312880708 +0200 -+++ i3lock-2.8/i3lock.c 2016-08-27 11:24:24.068880341 +0200 -@@ -18,7 +18,6 @@ - #include <xcb/xkb.h> - #include <err.h> - #include <assert.h> ++++ i3lock.c +@@ -21,7 +21,9 @@ + #ifdef __OpenBSD__ + #include <bsd_auth.h> + #else -#include <security/pam_appl.h> ++#include <shadow.h> ++#include <grp.h> ++#include <errno.h> + #endif #include <getopt.h> #include <string.h> - #include <ev.h> -@@ -28,6 +27,8 @@ - #include <xkbcommon/xkbcommon-x11.h> - #include <cairo.h> - #include <cairo/cairo-xcb.h> -+#include <unistd.h> -+#include <shadow.h> - - #include "i3lock.h" - #include "xcb.h" -@@ -49,10 +50,10 @@ - uint32_t last_resolution[2]; +@@ -57,7 +59,7 @@ xcb_window_t win; static xcb_cursor_t cursor; + #ifndef __OpenBSD__ -static pam_handle_t *pam_handle; ++const char *hash = NULL; + #endif int input_position = 0; /* Holds the password you enter (in UTF-8). */ - static char password[512]; -+const char *pws = NULL; - static bool beep = false; - bool debug_mode = false; - bool unlock_indicator = true; -@@ -80,6 +81,39 @@ +@@ -90,6 +92,37 @@ bool ignore_empty_password = false; bool skip_repeated_empty_password = false; @@ -122,42 +118,43 @@ diff -Nur i3lock-2.8-orig/i3lock.c i3lock-2.8/i3lock.c +#ifdef __linux__ +#include <fcntl.h> +#include <linux/oom.h> -+#include <errno.h> + +static void +dontkillme(void) +{ -+ int fd; -+ int length; -+ char value[64]; -+ -+ fd = open("/proc/self/oom_score_adj", O_WRONLY); -+ if (fd < 0 && errno == ENOENT) -+ return; ++ FILE *f; ++ const char oomfile[] = "/proc/self/oom_score_adj"; + -+ /* convert OOM_SCORE_ADJ_MIN to string for writing */ -+ length = snprintf(value, sizeof(value), "%d\n", OOM_SCORE_ADJ_MIN); -+ -+ /* bail on truncation */ -+ if (length >= sizeof(value)) -+ errx(EXIT_FAILURE, "buffer too small\n"); -+ -+ if (fd < 0 || write(fd, value, length) != length || close(fd) != 0) -+ errx(EXIT_FAILURE, "cannot disable the out-of-memory killer for this process (make sure to suid or sgid i3lock)\n"); ++ if (!(f = fopen(oomfile, "w"))) { ++ if (errno == ENOENT) ++ return; ++ errx(EXIT_FAILURE, "i3lock: fopen %s: %s", oomfile, strerror(errno)); ++ } ++ fprintf(f, "%d", OOM_SCORE_ADJ_MIN); ++ if (fclose(f)) { ++ if (errno == EACCES) ++ errx(EXIT_FAILURE, "i3lock: unable to disable OOM killer. " ++ "Make sure to suid or sgid i3lock."); ++ else ++ errx(EXIT_FAILURE, "i3lock: fclose %s: %s", oomfile, strerror(errno)); ++ } +} +#endif + /* isutf, u8_dec © 2005 Jeff Bezanson, public domain */ #define isutf(c) (((c)&0xC0) != 0x80) -@@ -235,17 +269,10 @@ - unlock_state = STATE_STARTED; - redraw_screen(); - +@@ -281,16 +314,16 @@ + exit(0); + } + #else - if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) { -+ if (!strcmp(crypt(password, pws), pws)) { - DEBUG("successfully authenticated\n"); - clear_password_memory(); +- DEBUG("successfully authenticated\n"); +- clear_password_memory(); ++ /* ++ * Shamelessly stolen from slock. See LICENSE-slock. ++ */ ++ char *inputhash; - /* PAM credentials should be refreshed, this will for example update any kerberos tickets. - * Related to credentials pam_end() needs to be called to cleanup any temporary @@ -165,14 +162,20 @@ diff -Nur i3lock-2.8-orig/i3lock.c i3lock-2.8/i3lock.c - * refresh of the credentials failed. */ - pam_setcred(pam_handle, PAM_REFRESH_CRED); - pam_end(pam_handle, PAM_SUCCESS); -- ++ if (!(inputhash = crypt(password, hash))) ++ fprintf(stderr, "i3lock: crypt: %s", strerror(errno)); ++ else if (!strcmp(inputhash, hash)) { ++ DEBUG("successfully authenticated"); ++ clear_password_memory(); + exit(0); } - -@@ -580,37 +607,6 @@ +@@ -626,39 +659,6 @@ + redraw_screen(); } - /* +-#ifndef __OpenBSD__ +-/* - * Callback function for PAM. We only react on password request callbacks. - * - */ @@ -202,68 +205,88 @@ diff -Nur i3lock-2.8-orig/i3lock.c i3lock-2.8/i3lock.c - - return 0; -} +-#endif - --/* + /* * This callback is only a dummy, see xcb_prepare_cb and xcb_check_cb. * See also man libev(3): "ev_prepare" and "ev_check" - customise your event loop - * -@@ -764,8 +760,6 @@ +@@ -813,10 +813,6 @@ struct passwd *pw; char *username; char *image_path = NULL; +-#ifndef __OpenBSD__ - int ret; - struct pam_conv conv = {conv_callback, NULL}; +-#endif int curs_choice = CURS_NONE; int o; int optind = 0; -@@ -791,6 +785,30 @@ +@@ -842,6 +838,48 @@ if ((username = pw->pw_name) == NULL) errx(EXIT_FAILURE, "pw->pw_name is NULL.\n"); ++#ifndef __OpenBSD__ + /* -+ * This piece of code is shamelessly stolen from slock. -+ * See LICENSE-slock. ++ * Shamelessly stolen from slock. See LICENSE-slock. ++ * ++ * Slock has code to make it run as nobody:nogroup, which has the added ++ * security that the locker can only be killed by root. ++ * It causes problems with the xcb_connect in raise_loop, however, ++ * and I'm not aware of any other methods to keep the calling user from ++ * killing the locker. ++ * This means that a malicious program running as your user ++ * could easily bypass your locker by killing it. ++ * However, if such a program even manages to be running, you're pretty ++ * screwed regardless. + */ ++ +#ifdef __linux__ + dontkillme(); +#endif + -+ pws = pw->pw_passwd; ++ hash = pw->pw_passwd; + -+ if (pws[0] == 'x' && pws[1] == '\0') { ++ if (!strcmp(hash, "x")) { + struct spwd *sp; -+ if (!(sp = getspnam(getenv("USER")))) -+ errx(EXIT_FAILURE, "cannot retrieve shadow entry (make sure to suid or sgid i3lock)\n"); -+ pws = sp->sp_pwdp; ++ if (!(sp = getspnam(pw->pw_name))) ++ errx(EXIT_FAILURE, "i3lock: getspnam: cannot retrieve shadow entry. " ++ "Make sure to suid or sgid i3lock."); ++ hash = sp->sp_pwdp; + } + -+ /* drop privileges */ -+ if (geteuid() == 0 && -+ ((getegid() != pw->pw_gid && setgid(pw->pw_gid) < 0) || setuid(pw->pw_uid) < 0)) -+ errx(EXIT_FAILURE, "cannot drop privileges\n"); ++ errno = 0; ++ if (!crypt("", hash)) ++ errx(EXIT_FAILURE, "i3lock: crypt: %s", strerror(errno)); + -+ /* End of stolen code */ ++ /* drop privileges */ ++ if (setgroups(0, NULL) < 0) ++ errx(EXIT_FAILURE, "i3lock: setgroups: %s", strerror(errno)); ++ if (setgid(pw->pw_gid) < 0) ++ errx(EXIT_FAILURE, "i3lock: setgid: %s", strerror(errno)); ++ if (setuid(pw->pw_uid) < 0) ++ errx(EXIT_FAILURE, "i3lock: setuid: %s", strerror(errno)); ++#endif + char *optstring = "hvnbdc:p:ui:teI:f"; while ((o = getopt_long(argc, argv, optstring, longopts, &optind)) != -1) { switch (o) { -@@ -862,13 +880,6 @@ +@@ -910,15 +948,6 @@ * the unlock indicator upon keypresses. */ srand(time(NULL)); +-#ifndef __OpenBSD__ - /* Initialize PAM */ - if ((ret = pam_start("i3lock", username, &conv, &pam_handle)) != PAM_SUCCESS) - errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret)); - - if ((ret = pam_set_item(pam_handle, PAM_TTY, getenv("DISPLAY"))) != PAM_SUCCESS) - errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret)); +-#endif - - /* Using mlock() as non-super-user seems only possible in Linux. Users of other - * operating systems should use encrypted swap/no swap (or remove the ifdef and - * run i3lock as super-user). */ -diff -Nur i3lock-2.8-orig/i3lock.pam i3lock-2.8/i3lock.pam ---- i3lock-2.8-orig/i3lock.pam 2016-08-27 11:24:15.313880708 +0200 -+++ i3lock-2.8/i3lock.pam 1970-01-01 01:00:00.000000000 +0100 + /* Using mlock() as non-super-user seems only possible in Linux. + * Users of other operating systems should use encrypted swap/no swap + * (or remove the ifdef and run i3lock as super-user). ++++ i3lock.pam @@ -1,6 +0,0 @@ -# -# PAM configuration file for the i3lock screen locker. By default, it includes diff --git a/desktop/i3lock/i3lock-2.9-revert-composite.patch b/desktop/i3lock/i3lock-2.9-revert-composite.patch new file mode 100644 index 0000000000000..58ef56b05359a --- /dev/null +++ b/desktop/i3lock/i3lock-2.9-revert-composite.patch @@ -0,0 +1,71 @@ ++++ Makefile +@@ -15,8 +15,8 @@ + CFLAGS += -pipe + CFLAGS += -Wall + CPPFLAGS += -D_GNU_SOURCE +-CFLAGS += $(shell $(PKG_CONFIG) --cflags cairo xcb-composite xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11) +-LIBS += $(shell $(PKG_CONFIG) --libs cairo xcb-composite xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11) ++CFLAGS += $(shell $(PKG_CONFIG) --cflags cairo xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11) ++LIBS += $(shell $(PKG_CONFIG) --libs cairo xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11) + LIBS += -lev + LIBS += -lm + ++++ README.md +@@ -25,7 +25,6 @@ + - libxcb-util + - libpam-dev + - libcairo-dev +-- libxcb-composite0 + - libxcb-xinerama + - libev + - libx11-dev ++++ xcb.c +@@ -11,7 +11,6 @@ + #include <xcb/xcb_image.h> + #include <xcb/xcb_atom.h> + #include <xcb/xcb_aux.h> +-#include <xcb/composite.h> + #include <stdio.h> + #include <stdlib.h> + #include <stdbool.h> +@@ -107,29 +106,6 @@ + uint32_t mask = 0; + uint32_t values[3]; + xcb_window_t win = xcb_generate_id(conn); +- xcb_window_t parent_win = scr->root; +- +- /* Check whether the composite extension is available */ +- const xcb_query_extension_reply_t *extension_query = NULL; +- xcb_generic_error_t *error = NULL; +- xcb_composite_get_overlay_window_cookie_t cookie; +- xcb_composite_get_overlay_window_reply_t *composite_reply = NULL; +- +- extension_query = xcb_get_extension_data(conn, &xcb_composite_id); +- if (extension_query && extension_query->present) { +- /* When composition is used, we need to use the composite overlay +- * window instead of the normal root window to be able to cover +- * composited windows */ +- cookie = xcb_composite_get_overlay_window(conn, scr->root); +- composite_reply = xcb_composite_get_overlay_window_reply(conn, cookie, &error); +- +- if (!error && composite_reply) { +- parent_win = composite_reply->overlay_win; +- } +- +- free(composite_reply); +- free(error); +- } + + if (pixmap == XCB_NONE) { + mask |= XCB_CW_BACK_PIXEL; +@@ -151,8 +127,8 @@ + + xcb_create_window(conn, + XCB_COPY_FROM_PARENT, +- win, /* the window id */ +- parent_win, ++ win, /* the window id */ ++ scr->root, /* parent == root */ + 0, 0, + scr->width_in_pixels, + scr->height_in_pixels, /* dimensions */ diff --git a/desktop/i3lock/i3lock.SlackBuild b/desktop/i3lock/i3lock.SlackBuild index a9c54a216f7d3..2493ae5a9db8c 100644 --- a/desktop/i3lock/i3lock.SlackBuild +++ b/desktop/i3lock/i3lock.SlackBuild @@ -23,7 +23,7 @@ # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PRGNAM=i3lock -VERSION=${VERSION:-2.8} +VERSION=${VERSION:-2.9} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} @@ -69,9 +69,17 @@ find -L . \ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; -# Apply a patch that removes all the PAM-related code, +# This patch reverts a commit that prevents the leakage of information through +# composited notifications. +# That commit causes issues (lag, most notably) on certain compositors. +# See the upstream issue: https://github.com/i3/i3lock/issues/128 +# You're welcome to try to comment this patch out and see whether it just works for you, +# or just leave this as is. +patch -p0 -i $CWD/i3lock-2.9-revert-composite.patch + +# This patch removes all the PAM-related code, # and checks the password against shadow instead. -patch -p1 -i $CWD/i3lock-2.8-no-pam.patch +patch -p0 -i $CWD/i3lock-2.9-no-pam.patch make install DESTDIR=$PKG diff --git a/desktop/i3lock/i3lock.info b/desktop/i3lock/i3lock.info index 889c44061a5f3..1f9d4f07269e2 100644 --- a/desktop/i3lock/i3lock.info +++ b/desktop/i3lock/i3lock.info @@ -1,8 +1,8 @@ PRGNAM="i3lock" -VERSION="2.8" +VERSION="2.9" HOMEPAGE="http://i3wm.org/i3lock/" -DOWNLOAD="http://i3wm.org/i3lock/i3lock-2.8.tar.bz2" -MD5SUM="89de7b7d46fdb05638122cf3c2512093" +DOWNLOAD="http://i3wm.org/i3lock/i3lock-2.9.tar.bz2" +MD5SUM="3d0038021778f3178192f566dc87a931" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="libev libxkbcommon" diff --git a/desktop/i3lock/slack-desc b/desktop/i3lock/slack-desc index feb1c0b1d6a34..1861401179cf1 100644 --- a/desktop/i3lock/slack-desc +++ b/desktop/i3lock/slack-desc @@ -10,7 +10,7 @@ i3lock: i3lock (a simple screen locker) i3lock: i3lock: i3lock is a simple screen locker like slock. i3lock: After starting it, you will see a white screen -i3lock: (you can configure the color/an image). +i3lock: (you can configure the color/an image). i3lock: You can return to your screen by entering your password. i3lock: i3lock: This version is patched to not to use PAM. |