Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 921584

Summary: gui-apps/swaylock-1.7.2 refuses to work with USE=" filecaps -pam"
Product: Gentoo Linux Reporter: Bruno <bonbons>
Component: Current packagesAssignee: Matthew Thode ( prometheanfire ) <prometheanfire>
Status: UNCONFIRMED ---    
Severity: normal CC: jstein, speedjack95
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Patch to make swaylock with with file capabilities

Description Bruno 2024-01-07 18:56:34 UTC 
With USE=-pam and USE=filecaps the ebuild sets SYS_ADMIN file capabilities for /usr/bin/swaylock.

Swaylock on the other hand does security checks verifying it has geteuid()==0 and later it can drop privileges by testing it can setuid(0).

SYS_ADMIN capability does not make much sense as a value as what could be useful is rather CAP_DAC_READ_SEARCH to be able to read /etc/shadow.


Reproducible: Always

Steps to Reproduce:
1. install swaylock with USE="-pam fileaps"
2. attempt to lock screen

Actual Results:  
Screen does not lock and swaylock outputs the following to stderr:
   [swaylock-1.7.2/shadow.c:22] swaylock needs to be setuid to read /etc/shadow

Expected Results:  
Screen locks

Removing the filecaps option and make /usr/bin/swaylock SUID would be one solution.

Patching swaylock to allow it to accept CAP_DAC_READ_SEARCH (and fixing the capability applied) would be another option.
Comment 1 Bruno 2024-01-07 19:05:42 UTC 
Created attachment 881655 [details, diff]
Patch to make swaylock with with file capabilities

This patch uses direct syscall to check/clear capabilities and verifies ability to read /etc/shadow rather than just looking at uid.

An alternative would be linking to libcap or libcap-ng and using cap_set_proc/cap_get_proc instead of the syscalls and thus being less Linux-specific.