Make setuid error clearer.

This commit is contained in:
Connor E 2019-01-18 13:52:17 +00:00
parent ccefa54bb7
commit 648b0ccd64
4 changed files with 32 additions and 31 deletions

View File

@ -112,7 +112,7 @@ void damage_state(struct swaylock_state *state);
void clear_password_buffer(struct swaylock_password *pw);
void schedule_indicator_clear(struct swaylock_state *state);
void initialize_pw_backend(void);
void initialize_pw_backend(int argc, char **argv);
void run_pw_backend_child(void);
void clear_buffer(char *buf, size_t size);

2
main.c
View File

@ -970,7 +970,7 @@ static void comm_in(int fd, short mask, void *data) {
int main(int argc, char **argv) {
swaylock_log_init(LOG_ERROR);
initialize_pw_backend();
initialize_pw_backend(argc, argv);
enum line_mode line_mode = LM_LINE;
state.args = (struct swaylock_args){

5
pam.c
View File

@ -11,10 +11,11 @@
static char *pw_buf = NULL;
void initialize_pw_backend(void) {
void initialize_pw_backend(int argc, char **argv) {
if (getuid() != geteuid() || getgid() != getegid()) {
swaylock_log(LOG_ERROR,
"swaylock has suid but doesn't require it with PAM backend");
"swaylock is setuid, but was compiled with the PAM"
" backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]);
exit(EXIT_FAILURE);
}
if (!spawn_comm_child()) {

View File

@ -12,6 +12,32 @@
#include "log.h"
#include "swaylock.h"
void initialize_pw_backend(int argc, char **argv) {
if (geteuid() != 0) {
swaylock_log(LOG_ERROR,
"swaylock needs to be setuid to read /etc/shadow");
exit(EXIT_FAILURE);
}
if (!spawn_comm_child()) {
exit(EXIT_FAILURE);
}
if (setgid(getgid()) != 0) {
swaylock_log_errno(LOG_ERROR, "Unable to drop root");
exit(EXIT_FAILURE);
}
if (setuid(getuid()) != 0) {
swaylock_log_errno(LOG_ERROR, "Unable to drop root");
exit(EXIT_FAILURE);
}
if (setuid(0) != -1) {
swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
"able to restore it after setuid)");
exit(EXIT_FAILURE);
}
}
void run_pw_backend_child(void) {
/* This code runs as root */
struct passwd *pwent = getpwuid(getuid());
@ -73,29 +99,3 @@ void run_pw_backend_child(void) {
clear_buffer(encpw, strlen(encpw));
exit(EXIT_SUCCESS);
}
void initialize_pw_backend(void) {
if (geteuid() != 0) {
swaylock_log(LOG_ERROR,
"swaylock needs to be setuid to read /etc/shadow");
exit(EXIT_FAILURE);
}
if (!spawn_comm_child()) {
exit(EXIT_FAILURE);
}
if (setgid(getgid()) != 0) {
swaylock_log_errno(LOG_ERROR, "Unable to drop root");
exit(EXIT_FAILURE);
}
if (setuid(getuid()) != 0) {
swaylock_log_errno(LOG_ERROR, "Unable to drop root");
exit(EXIT_FAILURE);
}
if (setuid(0) != -1) {
swaylock_log_errno(LOG_ERROR, "Unable to drop root (we shouldn't be "
"able to restore it after setuid)");
exit(EXIT_FAILURE);
}
}