i3lock: remove the setuid bit

Following swaylock example, by using unix-selfauth-helper and pam_exec
we can avoid requiring setuid bit on i3lock.

Reported by:	Mateusz Kocielski <shm@digitalsun.pl>

2 files changed, 16 insertions, 2 deletions

diff --git a/deskutils/i3lock/Makefile b/deskutils/i3lock/Makefile
index 78a0426807db..a269e22cd3cc 100644
--- a/deskutils/i3lock/Makefile
+++ b/deskutils/i3lock/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	i3lock
 PORTVERSION=	2.13
+PORTREVISION=	1
 CATEGORIES=	deskutils x11
 MASTER_SITES=	http://i3wm.org/${PORTNAME}/
 
@@ -19,12 +20,17 @@ LIB_DEPENDS=	libcairo.so:graphics/cairo \
 		libxcb-util.so:x11/xcb-util \
 		libxcb-xrm.so:x11/xcb-util-xrm
 
+RUN_DEPENDS=	unix-selfauth-helper>0:security/unix-selfauth-helper
+
 MAKE_ARGS=	PREFIX="${PREFIX}" X11LIB="${LOCALBASE}/lib" \
 		X11INC="${LOCALBASE}/include" CC="${CC}" \
 		MANDIR="${MANPREFIX}/man"
 
-PLIST_FILES=	"@(,,4755) bin/i3lock" \
-		man/man1/i3lock.1.gz
+PLIST_FILES=	bin/i3lock \
+		man/man1/i3lock.1.gz \
+		etc/pam.d/i3lock
+
+SUB_FILES=	i3lock.pam
 
 USES=		gmake iconv localbase pkgconfig tar:bzip2 xorg
 LDFLAGS+=	${ICONV_LIB}
@@ -41,6 +47,7 @@ OPTIONS_DEFINE=	DOCS
 post-install:
 	@${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/i3lock
 	@${RM} ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock
+	@${INSTALL_DATA} ${WRKDIR}/i3lock.pam ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock
 
 post-install-DOCS-on:
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
diff --git a/deskutils/i3lock/files/i3lock.pam.in b/deskutils/i3lock/files/i3lock.pam.in
new file mode 100644
index 000000000000..942be88359ac
--- /dev/null
+++ b/deskutils/i3lock/files/i3lock.pam.in
@@ -0,0 +1,7 @@
+#
+# PAM configuration for the "i3lock" service. i3lock(1) only uses
+# auth facilities.
+#
+
+auth sufficient pam_exec.so return_prog_exit_status expose_authtok %%LOCALBASE%%/libexec/unix-selfauth-helper
+auth include system