blob: 34b89d2b645cedb45c7af78d5758ed013d89d551 (
plain) (
tree)
|
|
pam_unix(8) requires root priveleges to access master.passwd(5)
but don't keep root for non-authentication activities.
--- pam.c.orig 2019-01-29 19:48:00 UTC
+++ pam.c
@@ -12,15 +12,40 @@
static char *pw_buf = NULL;
void initialize_pw_backend(int argc, char **argv) {
+#ifdef __linux__
if (getuid() != geteuid() || getgid() != getegid()) {
swaylock_log(LOG_ERROR,
"swaylock is setuid, but was compiled with the PAM"
" backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]);
exit(EXIT_FAILURE);
}
+#else
+ if (geteuid() != 0) {
+ swaylock_log(LOG_ERROR,
+ "swaylock needs to be setuid for pam_unix(8) to read /etc/master.passwd");
+ exit(EXIT_FAILURE);
+ }
+#endif
+
if (!spawn_comm_child()) {
exit(EXIT_FAILURE);
}
+
+#ifndef __linux__
+ if (setgid(getgid()) != 0) {
+ swaylock_log_errno(LOG_ERROR, "Unable to drop root");
+ exit(EXIT_FAILURE);
+ }
+ if (setuid(getuid()) != 0) {
+ swaylock_log_errno(LOG_ERROR, "Unable to drop root");
+ exit(EXIT_FAILURE);
+ }
+ if (setuid(0) != -1) {
+ swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
+ "able to restore it after setuid)");
+ exit(EXIT_FAILURE);
+ }
+#endif
}
static int handle_conversation(int num_msg, const struct pam_message **msg,
|