diff options
author | Baptiste Daroussin <bapt@FreeBSD.org> | 2023-07-12 07:24:06 +0000 |
---|---|---|
committer | Baptiste Daroussin <bapt@FreeBSD.org> | 2023-07-12 07:33:46 +0000 |
commit | fa9ae456a4a71ca0677756f6f7424d1812079c24 (patch) | |
tree | bd1fdbbdbea305237909b9b79fd0449bd555d280 | |
parent | d3cfa7ea42229670219c0dad9acc8595bee31c29 (diff) | |
download | ports-fa9ae456a4a71ca0677756f6f7424d1812079c24.tar.gz ports-fa9ae456a4a71ca0677756f6f7424d1812079c24.zip |
i3lock: remove the setuid bit
Following swaylock example, by using unix-selfauth-helper and pam_exec
we can avoid requiring setuid bit on i3lock.
Reported by: Mateusz Kocielski <shm@digitalsun.pl>
(cherry picked from commit b9050914a87578a38b52ad197cbbb34574eb03e7)
-rw-r--r-- | deskutils/i3lock/Makefile | 11 | ||||
-rw-r--r-- | deskutils/i3lock/files/i3lock.pam.in | 7 |
2 files changed, 16 insertions, 2 deletions
diff --git a/deskutils/i3lock/Makefile b/deskutils/i3lock/Makefile index 78a0426807db..a269e22cd3cc 100644 --- a/deskutils/i3lock/Makefile +++ b/deskutils/i3lock/Makefile @@ -1,5 +1,6 @@ PORTNAME= i3lock PORTVERSION= 2.13 +PORTREVISION= 1 CATEGORIES= deskutils x11 MASTER_SITES= http://i3wm.org/${PORTNAME}/ @@ -19,12 +20,17 @@ LIB_DEPENDS= libcairo.so:graphics/cairo \ libxcb-util.so:x11/xcb-util \ libxcb-xrm.so:x11/xcb-util-xrm +RUN_DEPENDS= unix-selfauth-helper>0:security/unix-selfauth-helper + MAKE_ARGS= PREFIX="${PREFIX}" X11LIB="${LOCALBASE}/lib" \ X11INC="${LOCALBASE}/include" CC="${CC}" \ MANDIR="${MANPREFIX}/man" -PLIST_FILES= "@(,,4755) bin/i3lock" \ - man/man1/i3lock.1.gz +PLIST_FILES= bin/i3lock \ + man/man1/i3lock.1.gz \ + etc/pam.d/i3lock + +SUB_FILES= i3lock.pam USES= gmake iconv localbase pkgconfig tar:bzip2 xorg LDFLAGS+= ${ICONV_LIB} @@ -41,6 +47,7 @@ OPTIONS_DEFINE= DOCS post-install: @${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/i3lock @${RM} ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock + @${INSTALL_DATA} ${WRKDIR}/i3lock.pam ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock post-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} diff --git a/deskutils/i3lock/files/i3lock.pam.in b/deskutils/i3lock/files/i3lock.pam.in new file mode 100644 index 000000000000..942be88359ac --- /dev/null +++ b/deskutils/i3lock/files/i3lock.pam.in @@ -0,0 +1,7 @@ +# +# PAM configuration for the "i3lock" service. i3lock(1) only uses +# auth facilities. +# + +auth sufficient pam_exec.so return_prog_exit_status expose_authtok %%LOCALBASE%%/libexec/unix-selfauth-helper +auth include system |