Lines 1-9
Link Here
|
1 |
#define _XOPEN_SOURCE // for crypt |
1 |
#define _XOPEN_SOURCE // for crypt |
|
|
2 |
#define _DEFAULT_SOURCE // syscall |
2 |
#include <pwd.h> |
3 |
#include <pwd.h> |
3 |
#include <shadow.h> |
4 |
#include <shadow.h> |
4 |
#include <stdlib.h> |
5 |
#include <stdlib.h> |
5 |
#include <stdbool.h> |
6 |
#include <stdbool.h> |
6 |
#include <sys/types.h> |
7 |
#include <sys/types.h> |
|
|
8 |
#include <linux/capability.h> |
9 |
#include <sys/syscall.h> |
10 |
#include <fcntl.h> |
7 |
#include <unistd.h> |
11 |
#include <unistd.h> |
8 |
#ifdef __GLIBC__ |
12 |
#ifdef __GLIBC__ |
9 |
// GNU, you damn slimy bastard |
13 |
// GNU, you damn slimy bastard |
Lines 15-25
Link Here
|
15 |
#include "swaylock.h" |
18 |
#include "swaylock.h" |
16 |
|
19 |
|
17 |
void initialize_pw_backend(int argc, char **argv) { |
20 |
void initialize_pw_backend(int argc, char **argv) { |
18 |
if (geteuid() != 0) { |
21 |
int fd_shadow = open("/etc/shadow", O_CLOEXEC | O_RDONLY); |
|
|
22 |
if (geteuid() != 0 && fd_shadow == -1) { |
19 |
swaylock_log(LOG_ERROR, |
23 |
swaylock_log(LOG_ERROR, |
20 |
"swaylock needs to be setuid to read /etc/shadow"); |
24 |
"swaylock needs to be setuid to read /etc/shadow"); |
21 |
exit(EXIT_FAILURE); |
25 |
exit(EXIT_FAILURE); |
22 |
} |
26 |
} |
|
|
27 |
if (fd_shadow != -1) |
28 |
close(fd_shadow); |
23 |
if (!spawn_comm_child()) { |
29 |
if (!spawn_comm_child()) { |
24 |
exit(EXIT_FAILURE); |
30 |
exit(EXIT_FAILURE); |
Lines 38-43
void initialize_pw_backend(int argc, cha
Link Here
|
38 |
"able to restore it after setuid)"); |
41 |
"able to restore it after setuid)"); |
39 |
exit(EXIT_FAILURE); |
42 |
exit(EXIT_FAILURE); |
40 |
} |
43 |
} |
|
|
44 |
fd_shadow = open("/etc/shadow", O_CLOEXEC | O_RDONLY); |
45 |
if (fd_shadow != -1) { |
46 |
cap_user_header_t hdrp = alloca(sizeof(*hdrp)); |
47 |
cap_user_data_t datap = alloca(2 * sizeof(*datap)); |
48 |
int ret; |
49 |
|
50 |
close(fd_shadow); |
51 |
memset(hdrp, 0, sizeof(*hdrp)); |
52 |
hdrp->version = _LINUX_CAPABILITY_VERSION_3; |
53 |
ret = syscall(SYS_capget, hdrp, datap); |
54 |
if (ret != 0) { |
55 |
swaylock_log_errno(LOG_ERROR, "Unable to verify capabilities"); |
56 |
exit(EXIT_FAILURE); |
57 |
} else if (datap[0].effective != 0 || datap[0].permitted != 0 || datap[0].inheritable != 0 || |
58 |
datap[1].effective != 0 || datap[1].permitted != 0 || datap[1].inheritable != 0) { |
59 |
memset(datap, 0, 2 * sizeof(*datap)); |
60 |
ret = syscall(SYS_capset, hdrp, datap); |
61 |
if (ret != 0) { |
62 |
swaylock_log_errno(LOG_ERROR, "Unable to drop capabilities"); |
63 |
exit(EXIT_FAILURE); |
64 |
} |
65 |
} |
66 |
} |
67 |
fd_shadow = open("/etc/shadow", O_CLOEXEC | O_RDONLY); |
68 |
if (fd_shadow != -1) { |
69 |
swaylock_log(LOG_ERROR, "Still able to read /etc/shadow"); |
70 |
exit(EXIT_FAILURE); |
71 |
} |
41 |
} |
72 |
} |
42 |
|
73 |
|
43 |
void run_pw_backend_child(void) { |
74 |
void run_pw_backend_child(void) { |
Lines 68-73
void run_pw_backend_child(void) {
Link Here
|
68 |
if (setuid(0) != -1) { |
92 |
if (setuid(0) != -1) { |
69 |
exit(EXIT_FAILURE); |
93 |
exit(EXIT_FAILURE); |
70 |
} |
94 |
} |
|
|
95 |
int fd_shadow = open("/etc/shadow", O_CLOEXEC | O_RDONLY); |
96 |
if (fd_shadow != -1) { |
97 |
cap_user_header_t hdrp = alloca(sizeof(*hdrp)); |
98 |
cap_user_data_t datap = alloca(2 * sizeof(*datap)); |
99 |
int ret; |
100 |
|
101 |
close(fd_shadow); |
102 |
memset(hdrp, 0, sizeof(*hdrp)); |
103 |
hdrp->version = _LINUX_CAPABILITY_VERSION_3; |
104 |
ret = syscall(SYS_capget, hdrp, datap); |
105 |
if (ret != 0) { |
106 |
swaylock_log_errno(LOG_ERROR, "Unable to verify capabilities"); |
107 |
exit(EXIT_FAILURE); |
108 |
} else if (datap[0].effective != 0 || datap[0].permitted != 0 || datap[0].inheritable != 0 || |
109 |
datap[1].effective != 0 || datap[1].permitted != 0 || datap[1].inheritable != 0) { |
110 |
memset(datap, 0, 2 * sizeof(*datap)); |
111 |
ret = syscall(SYS_capset, hdrp, datap); |
112 |
if (ret != 0) { |
113 |
swaylock_log_errno(LOG_ERROR, "Unable to drop capabilities"); |
114 |
exit(EXIT_FAILURE); |
115 |
} |
116 |
} |
117 |
} |
71 |
|
118 |
|
72 |
/* This code does not run as root */ |
119 |
/* This code does not run as root */ |
73 |
swaylock_log(LOG_DEBUG, "Prepared to authorize user %s", pwent->pw_name); |
120 |
swaylock_log(LOG_DEBUG, "Prepared to authorize user %s", pwent->pw_name); |