Merge pull request #24 from c-edw/feature/AbortSUIDWithPAM
Log error and exit if swaylock is suid with PAM backend.
This commit is contained in:
commit
52eeb9fc1e
@ -112,7 +112,7 @@ void damage_state(struct swaylock_state *state);
|
|||||||
void clear_password_buffer(struct swaylock_password *pw);
|
void clear_password_buffer(struct swaylock_password *pw);
|
||||||
void schedule_indicator_clear(struct swaylock_state *state);
|
void schedule_indicator_clear(struct swaylock_state *state);
|
||||||
|
|
||||||
void initialize_pw_backend(void);
|
void initialize_pw_backend(int argc, char **argv);
|
||||||
void run_pw_backend_child(void);
|
void run_pw_backend_child(void);
|
||||||
void clear_buffer(char *buf, size_t size);
|
void clear_buffer(char *buf, size_t size);
|
||||||
|
|
||||||
|
2
main.c
2
main.c
@ -977,7 +977,7 @@ static void comm_in(int fd, short mask, void *data) {
|
|||||||
|
|
||||||
int main(int argc, char **argv) {
|
int main(int argc, char **argv) {
|
||||||
swaylock_log_init(LOG_ERROR);
|
swaylock_log_init(LOG_ERROR);
|
||||||
initialize_pw_backend();
|
initialize_pw_backend(argc, argv);
|
||||||
|
|
||||||
enum line_mode line_mode = LM_LINE;
|
enum line_mode line_mode = LM_LINE;
|
||||||
state.args = (struct swaylock_args){
|
state.args = (struct swaylock_args){
|
||||||
|
8
pam.c
8
pam.c
@ -11,7 +11,13 @@
|
|||||||
|
|
||||||
static char *pw_buf = NULL;
|
static char *pw_buf = NULL;
|
||||||
|
|
||||||
void initialize_pw_backend(void) {
|
void initialize_pw_backend(int argc, char **argv) {
|
||||||
|
if (getuid() != geteuid() || getgid() != getegid()) {
|
||||||
|
swaylock_log(LOG_ERROR,
|
||||||
|
"swaylock is setuid, but was compiled with the PAM"
|
||||||
|
" backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]);
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
if (!spawn_comm_child()) {
|
if (!spawn_comm_child()) {
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
52
shadow.c
52
shadow.c
@ -12,6 +12,32 @@
|
|||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "swaylock.h"
|
#include "swaylock.h"
|
||||||
|
|
||||||
|
void initialize_pw_backend(int argc, char **argv) {
|
||||||
|
if (geteuid() != 0) {
|
||||||
|
swaylock_log(LOG_ERROR,
|
||||||
|
"swaylock needs to be setuid to read /etc/shadow");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!spawn_comm_child()) {
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (setgid(getgid()) != 0) {
|
||||||
|
swaylock_log_errno(LOG_ERROR, "Unable to drop root");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
if (setuid(getuid()) != 0) {
|
||||||
|
swaylock_log_errno(LOG_ERROR, "Unable to drop root");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
if (setuid(0) != -1) {
|
||||||
|
swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
|
||||||
|
"able to restore it after setuid)");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
void run_pw_backend_child(void) {
|
void run_pw_backend_child(void) {
|
||||||
/* This code runs as root */
|
/* This code runs as root */
|
||||||
struct passwd *pwent = getpwuid(getuid());
|
struct passwd *pwent = getpwuid(getuid());
|
||||||
@ -73,29 +99,3 @@ void run_pw_backend_child(void) {
|
|||||||
clear_buffer(encpw, strlen(encpw));
|
clear_buffer(encpw, strlen(encpw));
|
||||||
exit(EXIT_SUCCESS);
|
exit(EXIT_SUCCESS);
|
||||||
}
|
}
|
||||||
|
|
||||||
void initialize_pw_backend(void) {
|
|
||||||
if (geteuid() != 0) {
|
|
||||||
swaylock_log(LOG_ERROR,
|
|
||||||
"swaylock needs to be setuid to read /etc/shadow");
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!spawn_comm_child()) {
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (setgid(getgid()) != 0) {
|
|
||||||
swaylock_log_errno(LOG_ERROR, "Unable to drop root");
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
if (setuid(getuid()) != 0) {
|
|
||||||
swaylock_log_errno(LOG_ERROR, "Unable to drop root");
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
if (setuid(0) != -1) {
|
|
||||||
swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
|
|
||||||
"able to restore it after setuid)");
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
Loading…
Reference in New Issue
Block a user