X-Git-Url: https://git.danieliu.xyz/?p=slock.git;a=blobdiff_plain;f=slock.c;h=7127ebe0827460a4b6d9d71ea722b83e21a4ee7b;hp=da4b0995dc34be6e07940b2f68eee9a3566b0a03;hb=22eba05f3683c12fa6a5f898d08c33704c9fbb73;hpb=04143fd68dbc656905714eff5c208fadb3464e25

diff --git a/slock.c b/slock.c
index da4b099..7127ebe 100644
--- a/slock.c
+++ b/slock.c
@@ -6,6 +6,7 @@
 
 #include <ctype.h>
 #include <errno.h>
+#include <grp.h>
 #include <pwd.h>
 #include <stdarg.h>
 #include <stdlib.h>
@@ -83,7 +84,6 @@ dontkillme(void)
 }
 #endif
 
-/* only run as root */
 static const char *
 getpw(void)
 {
@@ -119,10 +119,6 @@ getpw(void)
 	}
 #endif /* HAVE_SHADOW_H */
 
-	/* drop privileges */
-	if (geteuid() == 0 &&
-	    ((getegid() != pw->pw_gid && setgid(pw->pw_gid) < 0) || setuid(pw->pw_uid) < 0))
-		die("slock: cannot drop privileges\n");
 	return rval;
 }
 
@@ -316,6 +312,10 @@ usage(void)
 
 int
 main(int argc, char **argv) {
+	struct passwd *pwd;
+	struct group *grp;
+	uid_t duid;
+	gid_t dgid;
 	const char *pws;
 	Display *dpy;
 	int s, nlocks;
@@ -328,6 +328,18 @@ main(int argc, char **argv) {
 		usage();
 	} ARGEND
 
+	/* validate drop-user and -group */
+	errno = 0;
+	if (!(pwd = getpwnam(user)))
+		die("slock: getpwnam %s: %s\n", user, errno ?
+		    strerror(errno) : "user entry not found");
+	duid = pwd->pw_uid;
+	errno = 0;
+	if (!(grp = getgrnam(group)))
+		die("slock: getgrnam %s: %s\n", group, errno ?
+		    strerror(errno) : "group entry not found");
+	dgid = grp->gr_gid;
+
 #ifdef __linux__
 	dontkillme();
 #endif
@@ -339,6 +351,14 @@ main(int argc, char **argv) {
 	if (!(dpy = XOpenDisplay(NULL)))
 		die("slock: cannot open display\n");
 
+	/* drop privileges */
+	if (setgroups(0, NULL) < 0)
+		die("slock: setgroups: %s\n", strerror(errno));
+	if (setgid(dgid) < 0)
+		die("slock: setgid: %s\n", strerror(errno));
+	if (setuid(duid) < 0)
+		die("slock: setuid: %s\n", strerror(errno));
+
 	/* check for Xrandr support */
 	rr = XRRQueryExtension(dpy, &rrevbase, &rrerrbase);