LogoopenSUSE Build Service > Projects
Sign Up | Log In

View File cinnamon-screensaver-helper.patch of Package cinnamon-screensaver (Project home:k0da)

Index: cinnamon-screensaver-1.7.1/configure.ac
===================================================================
--- cinnamon-screensaver-1.7.1.orig/configure.ac
+++ cinnamon-screensaver-1.7.1/configure.ac
@@ -448,6 +448,55 @@ if test "$ac_macosx" = yes; then
 fi
 
 dnl ---------------------------------------------------------------------------
+dnl  Authentication scheme
+dnl ---------------------------------------------------------------------------
+
+AC_ARG_ENABLE(authentication-scheme,
+              AS_HELP_STRING([--enable-authentication-scheme=@<:@auto/pam/helper@:>@],
+	                     [Choose a specific authentication scheme @<:@default=auto@:>@]),
+              , [enable_authentication_scheme=auto])
+
+AUTH_SCHEME=$enable_authentication_scheme
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for external password helper (SUSE)
+dnl ---------------------------------------------------------------------------
+#       On SuSE, instead of having xscreensaver be a setuid program, they
+#       fork an external program that takes the password on stdin, and
+#       returns true if that password is a valid one.  Then only that
+#       smaller program needs to be setuid.
+#
+#       (Note that this external program is not a GUI: the GUI is still
+#       all in xscreensaver itself; the external program just does auth.)
+
+AC_ARG_WITH(passwd-helper,
+            AS_HELP_STRING([--with-passwd-helper],
+                           [Include support for an external password verification helper program.]),
+            [with_passwd_helper="$withval"],
+            [with_passwd_helper=no])
+
+have_passwd_helper=no
+
+if test "x$AUTH_SCHEME" = "xhelper" -o "x$AUTH_SCHEME" = "xauto"; then
+  if test "$enable_locking" = no ; then
+    with_passwd_helper=no
+  fi
+
+  case "$with_passwd_helper" in
+    ""|no)
+      if test "x$AUTH_SCHEME" = "xhelper"; then
+	AC_MSG_ERROR([Password helper support requested --with-passwd-helper not used])
+      fi;;
+    /*)
+      AC_DEFINE_UNQUOTED(PASSWD_HELPER_PROGRAM, "$with_passwd_helper", [Full pathname of password helper application])
+      have_passwd_helper=yes
+      AUTH_SCHEME=helper;;
+    *)
+      AC_MSG_ERROR(["--with-passwd-helper needs full pathname of helper, not '$with_passwd_helper'"]);;
+  esac
+fi
+
+dnl ---------------------------------------------------------------------------
 dnl - Check for bsd_auth(3) (OpenBSD)
 dnl ---------------------------------------------------------------------------
 
@@ -455,28 +504,30 @@ have_bsdauth=no
 with_bsdauth_req=unspecified
 NEED_SETUID=no
 
-case "$host" in                                                                                       
-  *-openbsd*)                                                                                         
-    with_bsdauth=yes
-    AUTH_SCHEME=bsdauth
-    NEED_SETUID=no
-    if test "x$enable_locking" = "xyes"; then
-      with_bsdauth_req=yes
-      NEED_SETUID=yes
+if test "x$AUTH_SCHEME" = "xbsdauth" -o "x$AUTH_SCHEME" = "xauto"; then
+  case "$host" in                                                                                       
+    *-openbsd*)                                                                                         
+      with_bsdauth=yes
+      AUTH_SCHEME=bsdauth
+      NEED_SETUID=no
+      if test "x$enable_locking" = "xyes"; then
+        with_bsdauth_req=yes
+        NEED_SETUID=yes
+      fi
+  esac  
+
+  if test "$with_bsdauth" = yes ; then
+    AC_CACHE_CHECK([for BSD Authentication], ac_cv_bsdauth,
+      [AC_TRY_X_COMPILE([#include <stdlib.h>
+                         #include <unistd.h>
+                         #include <sys/types.h>
+                         #include <bsd_auth.h>],
+        [int ok = auth_userokay("x", 0, "x", "x");],
+        [ac_cv_bsdauth=yes],
+        [ac_cv_bsdauth=no])])
+    if test "$ac_cv_bsdauth" = yes; then
+      have_bsdauth=yes
     fi
-esac  
-
-if test "$with_bsdauth" = yes ; then
-  AC_CACHE_CHECK([for BSD Authentication], ac_cv_bsdauth,
-    [AC_TRY_X_COMPILE([#include <stdlib.h>
-                       #include <unistd.h>
-                       #include <sys/types.h>
-                       #include <bsd_auth.h>],
-      [int ok = auth_userokay("x", 0, "x", "x");],
-      [ac_cv_bsdauth=yes],
-      [ac_cv_bsdauth=no])])
-  if test "$ac_cv_bsdauth" = yes; then
-    have_bsdauth=yes
   fi
 fi
 
@@ -506,7 +557,7 @@ fi
 AC_SUBST(PAM_PREFIX)
 
 have_pam=no
-if test "x$enable_locking" = "xyes" -a "x$have_bsdauth" = "xno"; then
+if test "x$enable_locking" = "xyes" -a "x$have_bsdauth" != "xyes" -a "x$have_passwd_helper" != "xyes"; then
 AC_CHECK_LIB(pam, pam_start, have_pam=yes)
 fi
 
@@ -546,7 +597,7 @@ if test "x$have_pam" = "xyes"; then
           AC_MSG_RESULT(unknown)
         fi
 
-elif test "x$have_bsdauth" = "xno"; then
+elif test "x$have_bsdauth" != "xyes" -a "x$have_passwd_helper" != "xyes"; then
 	AC_MSG_ERROR("PAM libraries not found")
 fi
 AC_SUBST(HAVE_PAM)
@@ -776,7 +827,8 @@ echo "
 
         systemd:                  ${use_systemd}
         ConsoleKit:               ${use_console_kit}
-"
+
+        Authentication scheme:    ${AUTH_SCHEME}"
 
 if test "x$have_pam" = "xyes" ; then
 echo "\
@@ -785,3 +837,9 @@ echo "\
 "
 fi
 
+if test "x$have_passwd_helper" = "xyes" ; then
+echo "\
+        Password helper:          ${with_passwd_helper}
+
+"
+fi
Index: cinnamon-screensaver-1.7.1/src/Makefile.am
===================================================================
--- cinnamon-screensaver-1.7.1.orig/src/Makefile.am
+++ cinnamon-screensaver-1.7.1/src/Makefile.am
@@ -142,6 +142,12 @@ cinnamon_screensaver_dialog_SOURCES = 	\
 	$(AUTH_SOURCES)			\
 	$(NULL)
 
+EXTRA_cinnamon_screensaver_dialog_SOURCES = \
+	gs-auth-pam.c		\
+	gs-auth-helper.c	\
+	gs-auth-bsdauth.c	\
+	$(NULL)
+ 
 cinnamon_screensaver_dialog_LDADD =	\
 	$(CINNAMON_SCREENSAVER_DIALOG_LIBS)\
 	$(SAVER_LIBS)			\
Index: cinnamon-screensaver-1.7.1/src/gs-auth-helper.c
===================================================================
--- /dev/null
+++ cinnamon-screensaver-1.7.1/src/gs-auth-helper.c
@@ -0,0 +1,198 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * written by Olaf Kirch <okir@suse.de>
+ * xscreensaver, Copyright (c) 1993-2004 Jamie Zawinski <jwz@jwz.org>
+ *
+ * Permission to use, copy, modify, distribute, and sell this software and its
+ * documentation for any purpose is hereby granted without fee, provided that
+ * the above copyright notice appear in all copies and that both that
+ * copyright notice and this permission notice appear in supporting
+ * documentation.  No representations are made about the suitability of this
+ * software for any purpose.  It is provided "as is" without express or
+ * implied warranty.
+ */
+
+/* The idea here is to be able to run cinnamon-screensaver-dialog without any setuid bits.
+ * Password verification happens through an external program that you feed
+ * your password to on stdin.  The external command is invoked with a user
+ * name argument.
+ *
+ * The external helper does whatever authentication is necessary.  Currently,
+ * SuSE uses "unix2_chkpwd", which is a variation of "unix_chkpwd" from the
+ * PAM distribution.
+ *
+ * Normally, the password helper should just authenticate the calling user
+ * (i.e. based on the caller's real uid).  This is in order to prevent
+ * brute-forcing passwords in a shadow environment.  A less restrictive
+ * approach would be to allow verifying other passwords as well, but always
+ * with a 2 second delay or so.  (Not sure what SuSE's "unix2_chkpwd"
+ * currently does.)
+ *                         -- Olaf Kirch <okir@suse.de>, 16-Dec-2003
+ */
+
+#include "config.h"
+
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <errno.h>
+#include <sys/wait.h>
+
+#include <glib.h>
+#include <glib/gstdio.h>
+
+#include "gs-auth.h"
+#include "subprocs.h"
+
+static gboolean verbose_enabled = FALSE;
+
+GQuark
+gs_auth_error_quark (void)
+{
+        static GQuark quark = 0;
+        if (! quark) {
+                quark = g_quark_from_static_string ("gs_auth_error");
+        }
+
+        return quark;
+}
+
+void
+gs_auth_set_verbose (gboolean enabled)
+{
+        verbose_enabled = enabled;
+}
+
+gboolean
+gs_auth_get_verbose (void)
+{
+        return verbose_enabled;
+}
+
+static gboolean
+ext_run (const char *user,
+         const char *typed_passwd,
+         gboolean    verbose)
+{
+        int   pfd[2], status;
+        pid_t pid;
+
+        if (pipe (pfd) < 0) {
+                return 0;
+        }
+
+        if (verbose) {
+                g_message ("ext_run (%s, %s)",
+                           PASSWD_HELPER_PROGRAM, user);
+        }
+
+        block_sigchld ();
+
+        if ((pid = fork ()) < 0) {
+                close (pfd [0]);
+                close (pfd [1]);
+                return FALSE;
+        }
+
+        if (pid == 0) {
+                close (pfd [1]);
+                if (pfd [0] != 0) {
+                        dup2 (pfd [0], 0);
+                }
+
+                /* Helper is invoked as helper service-name [user] */
+                execlp (PASSWD_HELPER_PROGRAM, PASSWD_HELPER_PROGRAM, "cinnamon-screensaver", user, NULL);
+                if (verbose) {
+                        g_message ("%s: %s", PASSWD_HELPER_PROGRAM, g_strerror (errno));
+                }
+
+                exit (1);
+        }
+
+        close (pfd [0]);
+
+        /* Write out password to helper process */
+        if (!typed_passwd) {
+                typed_passwd = "";
+        }
+        write (pfd [1], typed_passwd, strlen (typed_passwd));
+        close (pfd [1]);
+
+        while (waitpid (pid, &status, 0) < 0) {
+                if (errno == EINTR) {
+                        continue;
+                }
+
+                if (verbose) {
+                        g_message ("ext_run: waitpid failed: %s\n",
+                                   g_strerror (errno));
+                }
+
+                unblock_sigchld ();
+                return FALSE;
+        }
+
+        unblock_sigchld ();
+
+        if (! WIFEXITED (status) || WEXITSTATUS (status) != 0) {
+                return FALSE;
+        }
+
+        return TRUE;
+}
+
+gboolean
+gs_auth_verify_user (const char       *username,
+                     const char       *display,
+                     GSAuthMessageFunc func,
+                     gpointer          data,
+                     GError          **error)
+{
+        gboolean       res = FALSE;
+        char          *password;
+
+        password = NULL;
+
+        /* ask for the password for user */
+        if (func != NULL) {
+                func (GS_AUTH_MESSAGE_PROMPT_ECHO_OFF,
+                      "Password: ",
+                      &password,
+                      data);
+        }
+
+        if (password == NULL) {
+                return FALSE;
+        }
+
+        res = ext_run (username, password, gs_auth_get_verbose ());
+
+        return res;
+}
+
+gboolean
+gs_auth_init (void)
+{
+        return TRUE;
+}
+
+gboolean
+gs_auth_priv_init (void)
+{
+        /* Make sure the passwd helper exists */
+        if (g_access (PASSWD_HELPER_PROGRAM, X_OK) < 0) {
+                g_warning ("%s does not exist. "
+                           "password authentication via "
+                           "external helper will not work.",
+                           PASSWD_HELPER_PROGRAM);
+                return FALSE;
+        }
+
+        return TRUE;
+}