diff options
author | Baptiste Daroussin <bapt@FreeBSD.org> | 2023-07-12 07:24:06 +0000 |
---|---|---|
committer | Baptiste Daroussin <bapt@FreeBSD.org> | 2023-07-12 07:26:55 +0000 |
commit | b9050914a87578a38b52ad197cbbb34574eb03e7 (patch) | |
tree | 39b725040bdb737746cbe156aea688a9f602237c | |
parent | 25122d0e5673c9ba2f91fe32d806cf3e91d23194 (diff) | |
download | ports-b9050914a87578a38b52ad197cbbb34574eb03e7.tar.gz ports-b9050914a87578a38b52ad197cbbb34574eb03e7.zip |
i3lock: remove the setuid bit
Following swaylock example, by using unix-selfauth-helper and pam_exec
we can avoid requiring setuid bit on i3lock.
Reported by: Mateusz Kocielski <shm@digitalsun.pl>
-rw-r--r-- | deskutils/i3lock/Makefile | 11 | ||||
-rw-r--r-- | deskutils/i3lock/files/i3lock.pam.in | 7 |
2 files changed, 16 insertions, 2 deletions
diff --git a/deskutils/i3lock/Makefile b/deskutils/i3lock/Makefile index 78a0426807db..a269e22cd3cc 100644 --- a/deskutils/i3lock/Makefile +++ b/deskutils/i3lock/Makefile @@ -1,5 +1,6 @@ PORTNAME= i3lock PORTVERSION= 2.13 +PORTREVISION= 1 CATEGORIES= deskutils x11 MASTER_SITES= http://i3wm.org/${PORTNAME}/ @@ -19,12 +20,17 @@ LIB_DEPENDS= libcairo.so:graphics/cairo \ libxcb-util.so:x11/xcb-util \ libxcb-xrm.so:x11/xcb-util-xrm +RUN_DEPENDS= unix-selfauth-helper>0:security/unix-selfauth-helper + MAKE_ARGS= PREFIX="${PREFIX}" X11LIB="${LOCALBASE}/lib" \ X11INC="${LOCALBASE}/include" CC="${CC}" \ MANDIR="${MANPREFIX}/man" -PLIST_FILES= "@(,,4755) bin/i3lock" \ - man/man1/i3lock.1.gz +PLIST_FILES= bin/i3lock \ + man/man1/i3lock.1.gz \ + etc/pam.d/i3lock + +SUB_FILES= i3lock.pam USES= gmake iconv localbase pkgconfig tar:bzip2 xorg LDFLAGS+= ${ICONV_LIB} @@ -41,6 +47,7 @@ OPTIONS_DEFINE= DOCS post-install: @${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/i3lock @${RM} ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock + @${INSTALL_DATA} ${WRKDIR}/i3lock.pam ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock post-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} diff --git a/deskutils/i3lock/files/i3lock.pam.in b/deskutils/i3lock/files/i3lock.pam.in new file mode 100644 index 000000000000..942be88359ac --- /dev/null +++ b/deskutils/i3lock/files/i3lock.pam.in @@ -0,0 +1,7 @@ +# +# PAM configuration for the "i3lock" service. i3lock(1) only uses +# auth facilities. +# + +auth sufficient pam_exec.so return_prog_exit_status expose_authtok %%LOCALBASE%%/libexec/unix-selfauth-helper +auth include system |