File gnome-screensaver-helper.patch of Package gnome-screensaver
reverted:
Index: gnome-screensaver-2.91.91/configure.ac
===================================================================
--- gnome-screensaver-2.91.91.orig/configure.ac
+++ gnome-screensaver-2.91.91/configure.ac
@@ -555,6 +555,75 @@ if test "x$have_pam" = "xyes"; then
fi
+# Check for external password helper
+# On SuSE, instead of having xscreensaver be a setuid program, they
+# fork an external program that takes the password on stdin, and
+# returns true if that password is a valid one. Then only that
+# smaller program needs to be setuid.
+#
+# (Note that this external program is not a GUI: the GUI is still
+# all in xscreensaver itself; the external program just does auth.)
+
+have_passwd_helper=no
+with_passwd_helper_req=unspecified
+
+AC_ARG_WITH(passwd-helper,
+[ --with-passwd-helper Include support for an external password
+ verification helper program.],
+ [with_passwd_helper="$withval"; with_passwd_helper_req="$withval"],[with_passwd_helper=no])
+# no HANDLE_X_PATH_ARG for this one
+
+if test "$enable_locking" = no ; then
+ with_passwd_helper_req=no
+ with_passwd_helper=no
+fi
+
+case "$with_passwd_helper" in
+ ""|no) : ;;
+ /*)
+ AC_DEFINE_UNQUOTED(PASSWD_HELPER_PROGRAM, "$with_passwd_helper", [Full pathname of password helper application])
+ have_passwd_helper=yes;;
+ *)
+ echo "error: --with-passwd-helper needs full pathname of helper (not '$with_passwd_helper')." >&2
+ exit 1
+esac
+AM_CONDITIONAL(HAVE_PASSWD_HELPER, test x$have_passwd_helper = xyes)
+AC_SUBST(HAVE_PASSWD_HELPER)
+
+dnl ---------------------------------------------------------------------------
+dnl Authentication scheme
+dnl ---------------------------------------------------------------------------
+
+AC_ARG_ENABLE(authentication-scheme,
+ [ --enable-authentication-scheme=[auto/pam/helper] Choose a specific
+ authentication scheme [default=auto]],,
+ enable_authentication_scheme=auto)
+
+AUTH_SCHEME="auth-pam"
+
+if test x$enable_authentication_scheme = xpam -a x$have_pam = xno ; then
+ AC_MSG_ERROR(PAM support requested but not available)
+fi
+if test x$enable_authentication_scheme = xhelper -a x$have_passwd_helper = xno ; then
+ AC_MSG_ERROR(Password helper support requested but not available)
+fi
+
+if test x$enable_authentication_scheme = xpam ; then
+ AUTH_SCHEME="pam"
+elif test x$enable_authentication_scheme = xhelper ; then
+ AUTH_SCHEME="helper"
+elif test x$enable_authentication_scheme = xauto ; then
+ if test x$have_pam != xno ; then
+ AUTH_SCHEME="pam"
+ elif test x$have_passwd_helper != xno ; then
+ AUTH_SCHEME="helper"
+ fi
+else
+ AC_MSG_ERROR(Unknown authentication scheme)
+fi
+
+AC_SUBST(AUTH_SCHEME)
+
dnl ---------------------------------------------------------------------------
dnl libgnomekbd
dnl ---------------------------------------------------------------------------
@@ -731,6 +800,9 @@ echo "
Screen locking enabled: ${enable_locking}
Show keyboard indicator: ${with_kbd_layout_indicator}
PAM prefix: ${PAM_PREFIX}
+ Have password helper: ${have_passwd_helper}
+ Authentication scheme: ${AUTH_SCHEME}"
+
-"
+echo ""
Index: gnome-screensaver-2.91.91/src/Makefile.am
===================================================================
--- gnome-screensaver-2.91.91.orig/src/Makefile.am
+++ gnome-screensaver-2.91.91/src/Makefile.am
@@ -63,6 +63,11 @@ gnome_screensaver_command_LDADD = \
$(GNOME_SCREENSAVER_COMMAND_LIBS) \
$(NULL)
+AUTH_SOURCES = \
+ gs-auth.h \
+ gs-auth-@AUTH_SCHEME@.c \
+ $(NULL)
+
test_fade_SOURCES = \
test-fade.c \
gs-fade.c \
@@ -78,8 +83,7 @@ test_fade_LDADD = \
test_passwd_SOURCES = \
test-passwd.c \
- gs-auth.h \
- gs-auth-pam.c \
+ $(AUTH_SOURCES) \
setuid.c \
setuid.h \
subprocs.c \
@@ -136,8 +140,13 @@ gnome_screensaver_dialog_SOURCES = \
setuid.h \
subprocs.c \
subprocs.h \
- gs-auth.h \
- gs-auth-pam.c \
+ $(AUTH_SOURCES) \
+ $(NULL)
+
+EXTRA_gnome_screensaver_dialog_SOURCES = \
+ gs-auth-pam.c \
+ gs-auth-helper.c \
+ gs-auth-pwent.c \
$(NULL)
gnome_screensaver_dialog_LDADD = \
Index: gnome-screensaver-2.91.91/src/gs-auth-helper.c
===================================================================
--- /dev/null
+++ gnome-screensaver-2.91.91/src/gs-auth-helper.c
@@ -0,0 +1,198 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * written by Olaf Kirch <okir@suse.de>
+ * xscreensaver, Copyright (c) 1993-2004 Jamie Zawinski <jwz@jwz.org>
+ *
+ * Permission to use, copy, modify, distribute, and sell this software and its
+ * documentation for any purpose is hereby granted without fee, provided that
+ * the above copyright notice appear in all copies and that both that
+ * copyright notice and this permission notice appear in supporting
+ * documentation. No representations are made about the suitability of this
+ * software for any purpose. It is provided "as is" without express or
+ * implied warranty.
+ */
+
+/* The idea here is to be able to run gnome-screensaver-dialog without any setuid bits.
+ * Password verification happens through an external program that you feed
+ * your password to on stdin. The external command is invoked with a user
+ * name argument.
+ *
+ * The external helper does whatever authentication is necessary. Currently,
+ * SuSE uses "unix2_chkpwd", which is a variation of "unix_chkpwd" from the
+ * PAM distribution.
+ *
+ * Normally, the password helper should just authenticate the calling user
+ * (i.e. based on the caller's real uid). This is in order to prevent
+ * brute-forcing passwords in a shadow environment. A less restrictive
+ * approach would be to allow verifying other passwords as well, but always
+ * with a 2 second delay or so. (Not sure what SuSE's "unix2_chkpwd"
+ * currently does.)
+ * -- Olaf Kirch <okir@suse.de>, 16-Dec-2003
+ */
+
+#include "config.h"
+
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <errno.h>
+#include <sys/wait.h>
+
+#include <glib.h>
+#include <glib/gstdio.h>
+
+#include "gs-auth.h"
+#include "subprocs.h"
+
+static gboolean verbose_enabled = FALSE;
+
+GQuark
+gs_auth_error_quark (void)
+{
+ static GQuark quark = 0;
+ if (! quark) {
+ quark = g_quark_from_static_string ("gs_auth_error");
+ }
+
+ return quark;
+}
+
+void
+gs_auth_set_verbose (gboolean enabled)
+{
+ verbose_enabled = enabled;
+}
+
+gboolean
+gs_auth_get_verbose (void)
+{
+ return verbose_enabled;
+}
+
+static gboolean
+ext_run (const char *user,
+ const char *typed_passwd,
+ gboolean verbose)
+{
+ int pfd[2], status;
+ pid_t pid;
+
+ if (pipe (pfd) < 0) {
+ return 0;
+ }
+
+ if (verbose) {
+ g_message ("ext_run (%s, %s)",
+ PASSWD_HELPER_PROGRAM, user);
+ }
+
+ block_sigchld ();
+
+ if ((pid = fork ()) < 0) {
+ close (pfd [0]);
+ close (pfd [1]);
+ return FALSE;
+ }
+
+ if (pid == 0) {
+ close (pfd [1]);
+ if (pfd [0] != 0) {
+ dup2 (pfd [0], 0);
+ }
+
+ /* Helper is invoked as helper service-name [user] */
+ execlp (PASSWD_HELPER_PROGRAM, PASSWD_HELPER_PROGRAM, "gnome-screensaver", user, NULL);
+ if (verbose) {
+ g_message ("%s: %s", PASSWD_HELPER_PROGRAM, g_strerror (errno));
+ }
+
+ exit (1);
+ }
+
+ close (pfd [0]);
+
+ /* Write out password to helper process */
+ if (!typed_passwd) {
+ typed_passwd = "";
+ }
+ write (pfd [1], typed_passwd, strlen (typed_passwd));
+ close (pfd [1]);
+
+ while (waitpid (pid, &status, 0) < 0) {
+ if (errno == EINTR) {
+ continue;
+ }
+
+ if (verbose) {
+ g_message ("ext_run: waitpid failed: %s\n",
+ g_strerror (errno));
+ }
+
+ unblock_sigchld ();
+ return FALSE;
+ }
+
+ unblock_sigchld ();
+
+ if (! WIFEXITED (status) || WEXITSTATUS (status) != 0) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+gboolean
+gs_auth_verify_user (const char *username,
+ const char *display,
+ GSAuthMessageFunc func,
+ gpointer data,
+ GError **error)
+{
+ gboolean res = FALSE;
+ char *password;
+
+ password = NULL;
+
+ /* ask for the password for user */
+ if (func != NULL) {
+ func (GS_AUTH_MESSAGE_PROMPT_ECHO_OFF,
+ "Password: ",
+ &password,
+ data);
+ }
+
+ if (password == NULL) {
+ return FALSE;
+ }
+
+ res = ext_run (username, password, gs_auth_get_verbose ());
+
+ return res;
+}
+
+gboolean
+gs_auth_init (void)
+{
+ return TRUE;
+}
+
+gboolean
+gs_auth_priv_init (void)
+{
+ /* Make sure the passwd helper exists */
+ if (g_access (PASSWD_HELPER_PROGRAM, X_OK) < 0) {
+ g_warning ("%s does not exist. "
+ "password authentication via "
+ "external helper will not work.",
+ PASSWD_HELPER_PROGRAM);
+ return FALSE;
+ }
+
+ return TRUE;
+}
