File i3lock-2.5-use-unix2_chkpwd.diff of Package i3lock

Overview Repositories Revisions Requests Users Attributes Meta

File i3lock-2.5-use-unix2_chkpwd.diff of Package i3lock

Author: Stefan Seyfried <seife+obs@b1-systems.com>
Date:   Sat Feb 15 14:20:27 2014 +0100

add the option to use unix2_chkpwd instead of needing setgid shadow

Index: i3lock-2.8/Makefile
===================================================================
--- i3lock-2.8.orig/Makefile
+++ i3lock-2.8/Makefile
@@ -14,7 +14,11 @@ CFLAGS += -Wall
 CPPFLAGS += -D_GNU_SOURCE
 CFLAGS += $(shell $(PKG_CONFIG) --cflags cairo xcb-dpms xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11)
 LIBS += $(shell $(PKG_CONFIG) --libs cairo xcb-dpms xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11)
+ifeq ($(USE_UNIX2_CHKPWD),1)
+CFLAGS += -DUSE_UNIX2_CHKPWD=1
+else
 LIBS += -lpam
+endif
 LIBS += -lev
 LIBS += -lm
 
Index: i3lock-2.8/i3lock.c
===================================================================
--- i3lock-2.8.orig/i3lock.c
+++ i3lock-2.8/i3lock.c
@@ -18,7 +18,9 @@
 #include <xcb/xkb.h>
 #include <err.h>
 #include <assert.h>
+#ifndef USE_UNIX2_CHKPWD
 #include <security/pam_appl.h>
+#endif
 #include <getopt.h>
 #include <string.h>
 #include <ev.h>
@@ -29,6 +31,13 @@
 #include <cairo.h>
 #include <cairo/cairo-xcb.h>
 
+#ifdef USE_UNIX2_CHKPWD
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <pwd.h>
+#include <errno.h>
+#endif
+
 #include "i3lock.h"
 #include "xcb.h"
 #include "cursors.h"
@@ -49,7 +58,9 @@ int inactivity_timeout = 30;
 uint32_t last_resolution[2];
 xcb_window_t win;
 static xcb_cursor_t cursor;
+#ifndef USE_UNIX2_CHKPWD
 static pam_handle_t *pam_handle;
+#endif
 int input_position = 0;
 /* Holds the password you enter (in UTF-8). */
 static char password[512];
@@ -235,6 +246,62 @@ static void input_done(void) {
     unlock_state = STATE_STARTED;
     redraw_screen();
 
+#ifdef USE_UNIX2_CHKPWD
+    struct passwd *pw;
+
+    pw = getpwuid(getuid());
+    if (! pw)
+        perror("i3lock: getpwuid() failed");
+    else {
+        int pfd[2], status;
+        pid_t pid;
+
+        if (pipe(pfd) < 0) {
+            perror("i3lock: pipe() failed");
+            goto auth_failed;
+        }
+
+        if ((pid = fork()) < 0) {
+            perror("i3lock: fork() failed");
+            close(pfd[0]);
+            close(pfd[1]);
+            goto auth_failed;
+        }
+
+        if (pid == 0) {
+            close(pfd[1]);
+            if (pfd[0] != 0)
+                dup2(pfd[0], 0);
+
+            /* Helper is invoked as helper service-name [user] */
+            printf("calling '/sbin/unix2_chkpwd i3lock %s'\n", pw->pw_name);
+            execlp("/sbin/unix2_chkpwd", "/sbin/unix2_chkpwd", "i3lock", pw->pw_name, NULL);
+            perror("i3lock: execlp(/sbin/unix2_chkpwd)");
+            exit(1);
+        }
+
+        close(pfd[0]);
+        /* Write out password to helper process */
+        write(pfd[1], password, strlen(password));
+        close(pfd[1]);
+
+        while (waitpid(pid, &status, 0) < 0) {
+            if (errno == EINTR)
+                continue;
+            perror("i3lock: waitpid() failed");
+            goto auth_failed;
+        }
+
+        if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
+            goto auth_failed;
+        endpwent();
+        DEBUG("successfully authenticated\n");
+        clear_password_memory();
+        exit(0);
+    }
+ auth_failed:
+    endpwent();
+#else
     if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) {
         DEBUG("successfully authenticated\n");
         clear_password_memory();
@@ -248,7 +315,7 @@ static void input_done(void) {
 
         exit(0);
     }
-
+#endif
     if (debug_mode)
         fprintf(stderr, "Authentication failure\n");
 
@@ -579,6 +646,7 @@ void handle_screen_resize(void) {
     redraw_screen();
 }
 
+#ifndef USE_UNIX2_CHKPWD
 /*
  * Callback function for PAM. We only react on password request callbacks.
  *
@@ -609,6 +677,7 @@ static int conv_callback(int num_msg, co
 
     return 0;
 }
+#endif
 
 /*
  * This callback is only a dummy, see xcb_prepare_cb and xcb_check_cb.
@@ -764,8 +833,10 @@ int main(int argc, char *argv[]) {
     struct passwd *pw;
     char *username;
     char *image_path = NULL;
+#ifndef USE_UNIX2_CHKPWD
     int ret;
     struct pam_conv conv = {conv_callback, NULL};
+#endif
     int curs_choice = CURS_NONE;
     int o;
     int optind = 0;
@@ -862,12 +933,14 @@ int main(int argc, char *argv[]) {
      * the unlock indicator upon keypresses. */
     srand(time(NULL));
 
+#ifndef USE_UNIX2_CHKPWD
     /* Initialize PAM */
     if ((ret = pam_start("i3lock", username, &conv, &pam_handle)) != PAM_SUCCESS)
         errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
 
     if ((ret = pam_set_item(pam_handle, PAM_TTY, getenv("DISPLAY"))) != PAM_SUCCESS)
         errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
+#endif
 
 /* Using mlock() as non-super-user seems only possible in Linux. Users of other
  * operating systems should use encrypted swap/no swap (or remove the ifdef and

Places

File i3lock-2.5-use-unix2_chkpwd.diff of Package i3lock

Places