This implements customization for the indicator as proposed in sway#2788 with comments from sway#3367 in mind.
The default behaviour does not change exept for the caps lock text color.
Since these changes seem to be lost in the split I've remade them.
Partially fixes#2788. This change makes it so the lock screen is
redrawn whenever the caps lock modifier state changes, rather
on relying on the keypress event. This didn't work because
caps lock is disabled when the key is released, not pressed,
so the caps lock indicator does not go away until the next
keypress event.
Ctrl-D functions as EOF in most cases on the terminal. login(1) & many other
programs check the password on EOF, same as Enter. To make behavior consistent,
have swaylock submit the password on Ctrl-D.
This commit moves the handling for Enter into its own static function, which is
now also called on Ctrl-D.
I've got in the habit of using Ctrl-C with login(1) to restart password entry.
If Sway does the same thing I don't have to retrain my login muscle memory ;)
Today I learned that GNU flaunts the POSIX standard in yet another
creative way. Additionally, this adds some security improvements,
namely:
- Zeroing out password buffers in the privileged child process
- setuid/setgid after reading /etc/shadow
It's better to use DT_RPATH dynamic section of the elf binary to store
the paths of libraries to load instead of overwriting LD_LIBRARY_PATH
for the whole environment, causing surprises. This solution is much more
transparent and perfectly suitable for running contained installations
of wayland/wlroots/sway.
The code unsetting the LD_LIBRARY_PATH/LD_PRELOAD was also deleted as
it's a placebo security at best - we should trust the execution path
that leads us to running sway, and it's way too late to care about those
variables since we already started executing our compositor, thus we
would be compromised anyway.
This involves setuid'ing swaylock, which then forks and drops perms on
the parent process. The child process remains root and listens on a pipe
for requests to validate passwords against /etc/shadow.
The "login" PAM configuration means somathing entirely different on
FreeBSD than on Linux: if you try to authenticate as the calling user,
it OKs the request without prompting for password. The "passwd" config
implements the desired functionality, therefore it should be used by
swaylock.
