X-Git-Url: https://git.danieliu.xyz/?a=blobdiff_plain;f=slock.c;h=7127ebe0827460a4b6d9d71ea722b83e21a4ee7b;hb=22eba05f3683c12fa6a5f898d08c33704c9fbb73;hp=068227985bfa9bb5efd768a7af98dffe4ad26153;hpb=39fb855aa100c5a5a8b7f3b6cc1fbb2135fe7dde;p=slock.git

diff --git a/slock.c b/slock.c
index 0682279..7127ebe 100644
--- a/slock.c
+++ b/slock.c
@@ -6,6 +6,7 @@
 
 #include <ctype.h>
 #include <errno.h>
+#include <grp.h>
 #include <pwd.h>
 #include <stdarg.h>
 #include <stdlib.h>
@@ -18,11 +19,6 @@
 #include <X11/Xlib.h>
 #include <X11/Xutil.h>
 
-#if HAVE_BSD_AUTH
-#include <login_cap.h>
-#include <bsd_auth.h>
-#endif
-
 #include "arg.h"
 #include "util.h"
 
@@ -46,8 +42,6 @@ typedef struct {
 
 static Lock **locks;
 static int nscreens;
-static Bool running = True;
-static Bool failure = False;
 static Bool rr;
 static int rrevbase;
 static int rrerrbase;
@@ -90,20 +84,19 @@ dontkillme(void)
 }
 #endif
 
-#ifndef HAVE_BSD_AUTH
-/* only run as root */
 static const char *
 getpw(void)
 {
 	const char *rval;
 	struct passwd *pw;
 
+	/* Check if the current user has a password entry */
 	errno = 0;
 	if (!(pw = getpwuid(getuid()))) {
 		if (errno)
-			die("getpwuid: %s\n", strerror(errno));
+			die("slock: getpwuid: %s\n", strerror(errno));
 		else
-			die("cannot retrieve password entry\n");
+			die("slock: cannot retrieve password entry\n");
 	}
 	rval = pw->pw_passwd;
 
@@ -111,35 +104,37 @@ getpw(void)
 	if (rval[0] == 'x' && rval[1] == '\0') {
 		struct spwd *sp;
 		if (!(sp = getspnam(getenv("USER"))))
-			die("cannot retrieve shadow entry (make sure to suid or sgid slock)\n");
+			die("slock: getspnam: cannot retrieve shadow entry (make sure to suid or sgid slock)\n");
 		rval = sp->sp_pwdp;
 	}
-#endif
+#else
+	if (rval[0] == '*' && rval[1] == '\0') {
+#ifdef __OpenBSD__
+		if (!(pw = getpwnam_shadow(getenv("USER"))))
+			die("slock: getpwnam_shadow: cannot retrieve shadow entry (make sure to suid or sgid slock)\n");
+		rval = pw->pw_passwd;
+#else
+		die("slock: getpwuid: cannot retrieve shadow entry (make sure to suid or sgid slock)\n");
+#endif /* __OpenBSD__ */
+	}
+#endif /* HAVE_SHADOW_H */
 
-	/* drop privileges */
-	if (geteuid() == 0 &&
-	    ((getegid() != pw->pw_gid && setgid(pw->pw_gid) < 0) || setuid(pw->pw_uid) < 0))
-		die("cannot drop privileges\n");
 	return rval;
 }
-#endif
 
 static void
-#ifdef HAVE_BSD_AUTH
-readpw(Display *dpy)
-#else
 readpw(Display *dpy, const char *pws)
-#endif
 {
 	char buf[32], passwd[256], *encrypted;
-	int num, screen;
+	int num, screen, running, failure;
 	unsigned int len, color;
 	KeySym ksym;
 	XEvent ev;
 	static int oldc = INIT;
 
 	len = 0;
-	running = True;
+	running = 1;
+	failure = 0;
 
 	/* As "slock" stands for "Simple X display locker", the DPMS settings
 	 * had been removed and you can set it with "xset" or some other
@@ -164,15 +159,11 @@ readpw(Display *dpy, const char *pws)
 			switch (ksym) {
 			case XK_Return:
 				passwd[len] = 0;
-#ifdef HAVE_BSD_AUTH
-				running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd);
-#else
 				errno = 0;
 				if (!(encrypted = crypt(passwd, pws)))
 					fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
 				else
 					running = !!strcmp(encrypted, pws);
-#endif
 				if (running) {
 					XBell(dpy, 100);
 					failure = True;
@@ -253,7 +244,7 @@ lockscreen(Display *dpy, int screen)
 	XSetWindowAttributes wa;
 	Cursor invisible;
 
-	if (!running || dpy == NULL || screen < 0 || !(lock = malloc(sizeof(Lock))))
+	if (dpy == NULL || screen < 0 || !(lock = malloc(sizeof(Lock))))
 		return NULL;
 
 	lock->screen = screen;
@@ -275,7 +266,7 @@ lockscreen(Display *dpy, int screen)
 	XDefineCursor(dpy, lock->win, invisible);
 
 	/* Try to grab mouse pointer *and* keyboard for 600ms, else fail the lock */
-	for (i = 6, ptgrab = kbgrab = -1; i; --i) {
+	for (i = 0, ptgrab = kbgrab = -1; i < 6; i++) {
 		if (ptgrab != GrabSuccess) {
 			ptgrab = XGrabPointer(dpy, lock->root, False,
 			         ButtonPressMask | ButtonReleaseMask |
@@ -321,9 +312,11 @@ usage(void)
 
 int
 main(int argc, char **argv) {
-#ifndef HAVE_BSD_AUTH
+	struct passwd *pwd;
+	struct group *grp;
+	uid_t duid;
+	gid_t dgid;
 	const char *pws;
-#endif
 	Display *dpy;
 	int s, nlocks;
 
@@ -335,28 +328,37 @@ main(int argc, char **argv) {
 		usage();
 	} ARGEND
 
+	/* validate drop-user and -group */
+	errno = 0;
+	if (!(pwd = getpwnam(user)))
+		die("slock: getpwnam %s: %s\n", user, errno ?
+		    strerror(errno) : "user entry not found");
+	duid = pwd->pw_uid;
+	errno = 0;
+	if (!(grp = getgrnam(group)))
+		die("slock: getgrnam %s: %s\n", group, errno ?
+		    strerror(errno) : "group entry not found");
+	dgid = grp->gr_gid;
+
 #ifdef __linux__
 	dontkillme();
 #endif
 
-	/* Check if the current user has a password entry */
-	errno = 0;
-	if (!getpwuid(getuid())) {
-		if (errno == 0)
-			die("slock: no password entry for current user\n");
-		else
-			die("slock: getpwuid: %s\n", strerror(errno));
-	}
-
-#ifndef HAVE_BSD_AUTH
 	pws = getpw();
 	if (strlen(pws) < 2)
 		die("slock: failed to get user password hash.\n");
-#endif
 
 	if (!(dpy = XOpenDisplay(NULL)))
 		die("slock: cannot open display\n");
 
+	/* drop privileges */
+	if (setgroups(0, NULL) < 0)
+		die("slock: setgroups: %s\n", strerror(errno));
+	if (setgid(dgid) < 0)
+		die("slock: setgid: %s\n", strerror(errno));
+	if (setuid(duid) < 0)
+		die("slock: setuid: %s\n", strerror(errno));
+
 	/* check for Xrandr support */
 	rr = XRRQueryExtension(dpy, &rrevbase, &rrerrbase);
 
@@ -376,7 +378,6 @@ main(int argc, char **argv) {
 
 	/* did we manage to lock everything? */
 	if (nlocks != nscreens) {
-		running = 0;
 		cleanup(dpy);
 		return 1;
 	}
@@ -398,11 +399,7 @@ main(int argc, char **argv) {
 	}
 
 	/* everything is now blank. Wait for the correct password */
-#ifdef HAVE_BSD_AUTH
-	readpw(dpy);
-#else
 	readpw(dpy, pws);
-#endif
 
 	/* password ok, unlock everything and quit */
 	cleanup(dpy);