File gnome-screensaver-helper.patch of Package gnome-screensaver
reverted:
Index: gnome-screensaver-3.2.1/configure.ac
===================================================================
--- gnome-screensaver-3.2.1.orig/configure.ac
+++ gnome-screensaver-3.2.1/configure.ac
@@ -448,6 +448,55 @@ if test "$ac_macosx" = yes; then
fi
dnl ---------------------------------------------------------------------------
+dnl Authentication scheme
+dnl ---------------------------------------------------------------------------
+
+AC_ARG_ENABLE(authentication-scheme,
+ AS_HELP_STRING([--enable-authentication-scheme=@<:@auto/pam/helper@:>@],
+ [Choose a specific authentication scheme @<:@default=auto@:>@]),
+ , [enable_authentication_scheme=auto])
+
+AUTH_SCHEME=$enable_authentication_scheme
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for external password helper (SUSE)
+dnl ---------------------------------------------------------------------------
+# On SuSE, instead of having xscreensaver be a setuid program, they
+# fork an external program that takes the password on stdin, and
+# returns true if that password is a valid one. Then only that
+# smaller program needs to be setuid.
+#
+# (Note that this external program is not a GUI: the GUI is still
+# all in xscreensaver itself; the external program just does auth.)
+
+AC_ARG_WITH(passwd-helper,
+ AS_HELP_STRING([--with-passwd-helper],
+ [Include support for an external password verification helper program.]),
+ [with_passwd_helper="$withval"],
+ [with_passwd_helper=no])
+
+have_passwd_helper=no
+
+if test "x$AUTH_SCHEME" = "xhelper" -o "x$AUTH_SCHEME" = "xauto"; then
+ if test "$enable_locking" = no ; then
+ with_passwd_helper=no
+ fi
+
+ case "$with_passwd_helper" in
+ ""|no)
+ if test "x$AUTH_SCHEME" = "xhelper"; then
+ AC_MSG_ERROR([Password helper support requested --with-passwd-helper not used])
+ fi;;
+ /*)
+ AC_DEFINE_UNQUOTED(PASSWD_HELPER_PROGRAM, "$with_passwd_helper", [Full pathname of password helper application])
+ have_passwd_helper=yes
+ AUTH_SCHEME=helper;;
+ *)
+ AC_MSG_ERROR(["--with-passwd-helper needs full pathname of helper, not '$with_passwd_helper'"]);;
+ esac
+fi
+
+dnl ---------------------------------------------------------------------------
dnl - Check for bsd_auth(3) (OpenBSD)
dnl ---------------------------------------------------------------------------
@@ -455,28 +504,30 @@ have_bsdauth=no
with_bsdauth_req=unspecified
NEED_SETUID=no
-case "$host" in
- *-openbsd*)
- with_bsdauth=yes
- AUTH_SCHEME=bsdauth
- NEED_SETUID=no
- if test "x$enable_locking" = "xyes"; then
- with_bsdauth_req=yes
- NEED_SETUID=yes
+if test "x$AUTH_SCHEME" = "xbsdauth" -o "x$AUTH_SCHEME" = "xauto"; then
+ case "$host" in
+ *-openbsd*)
+ with_bsdauth=yes
+ AUTH_SCHEME=bsdauth
+ NEED_SETUID=no
+ if test "x$enable_locking" = "xyes"; then
+ with_bsdauth_req=yes
+ NEED_SETUID=yes
+ fi
+ esac
+
+ if test "$with_bsdauth" = yes ; then
+ AC_CACHE_CHECK([for BSD Authentication], ac_cv_bsdauth,
+ [AC_TRY_X_COMPILE([#include <stdlib.h>
+ #include <unistd.h>
+ #include <sys/types.h>
+ #include <bsd_auth.h>],
+ [int ok = auth_userokay("x", 0, "x", "x");],
+ [ac_cv_bsdauth=yes],
+ [ac_cv_bsdauth=no])])
+ if test "$ac_cv_bsdauth" = yes; then
+ have_bsdauth=yes
fi
-esac
-
-if test "$with_bsdauth" = yes ; then
- AC_CACHE_CHECK([for BSD Authentication], ac_cv_bsdauth,
- [AC_TRY_X_COMPILE([#include <stdlib.h>
- #include <unistd.h>
- #include <sys/types.h>
- #include <bsd_auth.h>],
- [int ok = auth_userokay("x", 0, "x", "x");],
- [ac_cv_bsdauth=yes],
- [ac_cv_bsdauth=no])])
- if test "$ac_cv_bsdauth" = yes; then
- have_bsdauth=yes
fi
fi
@@ -506,7 +557,7 @@ fi
AC_SUBST(PAM_PREFIX)
have_pam=no
-if test "x$enable_locking" = "xyes" -a "x$have_bsdauth" = "xno"; then
+if test "x$enable_locking" = "xyes" -a "x$have_bsdauth" != "xyes" -a "x$have_passwd_helper" != "xyes"; then
AC_CHECK_LIB(pam, pam_start, have_pam=yes)
fi
@@ -546,7 +597,7 @@ if test "x$have_pam" = "xyes"; then
AC_MSG_RESULT(unknown)
fi
-elif test "x$have_bsdauth" = "xno"; then
+elif test "x$have_bsdauth" != "xyes" -a "x$have_passwd_helper" != "xyes"; then
AC_MSG_ERROR("PAM libraries not found")
fi
AC_SUBST(HAVE_PAM)
@@ -776,7 +827,8 @@ echo "
systemd: ${use_systemd}
ConsoleKit: ${use_console_kit}
-"
+
+ Authentication scheme: ${AUTH_SCHEME}"
if test "x$have_pam" = "xyes" ; then
echo "\
@@ -785,3 +837,9 @@ echo "\
"
fi
+if test "x$have_passwd_helper" = "xyes" ; then
+echo "\
+ Password helper: ${with_passwd_helper}
+
+"
+fi
Index: gnome-screensaver-3.2.1/src/Makefile.am
===================================================================
--- gnome-screensaver-3.2.1.orig/src/Makefile.am
+++ gnome-screensaver-3.2.1/src/Makefile.am
@@ -142,6 +142,12 @@ gnome_screensaver_dialog_SOURCES = \
$(AUTH_SOURCES) \
$(NULL)
+EXTRA_gnome_screensaver_dialog_SOURCES = \
+ gs-auth-pam.c \
+ gs-auth-helper.c \
+ gs-auth-bsdauth.c \
+ $(NULL)
+
gnome_screensaver_dialog_LDADD = \
$(GNOME_SCREENSAVER_DIALOG_LIBS)\
$(SAVER_LIBS) \
Index: gnome-screensaver-3.2.1/src/gs-auth-helper.c
===================================================================
--- /dev/null
+++ gnome-screensaver-3.2.1/src/gs-auth-helper.c
@@ -0,0 +1,198 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * written by Olaf Kirch <okir@suse.de>
+ * xscreensaver, Copyright (c) 1993-2004 Jamie Zawinski <jwz@jwz.org>
+ *
+ * Permission to use, copy, modify, distribute, and sell this software and its
+ * documentation for any purpose is hereby granted without fee, provided that
+ * the above copyright notice appear in all copies and that both that
+ * copyright notice and this permission notice appear in supporting
+ * documentation. No representations are made about the suitability of this
+ * software for any purpose. It is provided "as is" without express or
+ * implied warranty.
+ */
+
+/* The idea here is to be able to run gnome-screensaver-dialog without any setuid bits.
+ * Password verification happens through an external program that you feed
+ * your password to on stdin. The external command is invoked with a user
+ * name argument.
+ *
+ * The external helper does whatever authentication is necessary. Currently,
+ * SuSE uses "unix2_chkpwd", which is a variation of "unix_chkpwd" from the
+ * PAM distribution.
+ *
+ * Normally, the password helper should just authenticate the calling user
+ * (i.e. based on the caller's real uid). This is in order to prevent
+ * brute-forcing passwords in a shadow environment. A less restrictive
+ * approach would be to allow verifying other passwords as well, but always
+ * with a 2 second delay or so. (Not sure what SuSE's "unix2_chkpwd"
+ * currently does.)
+ * -- Olaf Kirch <okir@suse.de>, 16-Dec-2003
+ */
+
+#include "config.h"
+
+#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <errno.h>
+#include <sys/wait.h>
+
+#include <glib.h>
+#include <glib/gstdio.h>
+
+#include "gs-auth.h"
+#include "subprocs.h"
+
+static gboolean verbose_enabled = FALSE;
+
+GQuark
+gs_auth_error_quark (void)
+{
+ static GQuark quark = 0;
+ if (! quark) {
+ quark = g_quark_from_static_string ("gs_auth_error");
+ }
+
+ return quark;
+}
+
+void
+gs_auth_set_verbose (gboolean enabled)
+{
+ verbose_enabled = enabled;
+}
+
+gboolean
+gs_auth_get_verbose (void)
+{
+ return verbose_enabled;
+}
+
+static gboolean
+ext_run (const char *user,
+ const char *typed_passwd,
+ gboolean verbose)
+{
+ int pfd[2], status;
+ pid_t pid;
+
+ if (pipe (pfd) < 0) {
+ return 0;
+ }
+
+ if (verbose) {
+ g_message ("ext_run (%s, %s)",
+ PASSWD_HELPER_PROGRAM, user);
+ }
+
+ block_sigchld ();
+
+ if ((pid = fork ()) < 0) {
+ close (pfd [0]);
+ close (pfd [1]);
+ return FALSE;
+ }
+
+ if (pid == 0) {
+ close (pfd [1]);
+ if (pfd [0] != 0) {
+ dup2 (pfd [0], 0);
+ }
+
+ /* Helper is invoked as helper service-name [user] */
+ execlp (PASSWD_HELPER_PROGRAM, PASSWD_HELPER_PROGRAM, "gnome-screensaver", user, NULL);
+ if (verbose) {
+ g_message ("%s: %s", PASSWD_HELPER_PROGRAM, g_strerror (errno));
+ }
+
+ exit (1);
+ }
+
+ close (pfd [0]);
+
+ /* Write out password to helper process */
+ if (!typed_passwd) {
+ typed_passwd = "";
+ }
+ write (pfd [1], typed_passwd, strlen (typed_passwd));
+ close (pfd [1]);
+
+ while (waitpid (pid, &status, 0) < 0) {
+ if (errno == EINTR) {
+ continue;
+ }
+
+ if (verbose) {
+ g_message ("ext_run: waitpid failed: %s\n",
+ g_strerror (errno));
+ }
+
+ unblock_sigchld ();
+ return FALSE;
+ }
+
+ unblock_sigchld ();
+
+ if (! WIFEXITED (status) || WEXITSTATUS (status) != 0) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+gboolean
+gs_auth_verify_user (const char *username,
+ const char *display,
+ GSAuthMessageFunc func,
+ gpointer data,
+ GError **error)
+{
+ gboolean res = FALSE;
+ char *password;
+
+ password = NULL;
+
+ /* ask for the password for user */
+ if (func != NULL) {
+ func (GS_AUTH_MESSAGE_PROMPT_ECHO_OFF,
+ "Password: ",
+ &password,
+ data);
+ }
+
+ if (password == NULL) {
+ return FALSE;
+ }
+
+ res = ext_run (username, password, gs_auth_get_verbose ());
+
+ return res;
+}
+
+gboolean
+gs_auth_init (void)
+{
+ return TRUE;
+}
+
+gboolean
+gs_auth_priv_init (void)
+{
+ /* Make sure the passwd helper exists */
+ if (g_access (PASSWD_HELPER_PROGRAM, X_OK) < 0) {
+ g_warning ("%s does not exist. "
+ "password authentication via "
+ "external helper will not work.",
+ PASSWD_HELPER_PROGRAM);
+ return FALSE;
+ }
+
+ return TRUE;
+}
