With USE=-pam and USE=filecaps the ebuild sets SYS_ADMIN file capabilities for /usr/bin/swaylock. Swaylock on the other hand does security checks verifying it has geteuid()==0 and later it can drop privileges by testing it can setuid(0). SYS_ADMIN capability does not make much sense as a value as what could be useful is rather CAP_DAC_READ_SEARCH to be able to read /etc/shadow. Reproducible: Always Steps to Reproduce: 1. install swaylock with USE="-pam fileaps" 2. attempt to lock screen Actual Results: Screen does not lock and swaylock outputs the following to stderr: [swaylock-1.7.2/shadow.c:22] swaylock needs to be setuid to read /etc/shadow Expected Results: Screen locks Removing the filecaps option and make /usr/bin/swaylock SUID would be one solution. Patching swaylock to allow it to accept CAP_DAC_READ_SEARCH (and fixing the capability applied) would be another option.
Created attachment 881655 [details, diff] Patch to make swaylock with with file capabilities This patch uses direct syscall to check/clear capabilities and verifies ability to read /etc/shadow rather than just looking at uid. An alternative would be linking to libcap or libcap-ng and using cap_set_proc/cap_get_proc instead of the syscalls and thus being less Linux-specific.
