Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:12.1:Update
gnome-screensaver
gnome-screensaver-helper.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gnome-screensaver-helper.patch of Package gnome-screensaver
reverted: Index: gnome-screensaver-2.91.91/configure.ac =================================================================== --- gnome-screensaver-2.91.91.orig/configure.ac +++ gnome-screensaver-2.91.91/configure.ac @@ -555,6 +555,75 @@ if test "x$have_pam" = "xyes"; then fi +# Check for external password helper +# On SuSE, instead of having xscreensaver be a setuid program, they +# fork an external program that takes the password on stdin, and +# returns true if that password is a valid one. Then only that +# smaller program needs to be setuid. +# +# (Note that this external program is not a GUI: the GUI is still +# all in xscreensaver itself; the external program just does auth.) + +have_passwd_helper=no +with_passwd_helper_req=unspecified + +AC_ARG_WITH(passwd-helper, +[ --with-passwd-helper Include support for an external password + verification helper program.], + [with_passwd_helper="$withval"; with_passwd_helper_req="$withval"],[with_passwd_helper=no]) +# no HANDLE_X_PATH_ARG for this one + +if test "$enable_locking" = no ; then + with_passwd_helper_req=no + with_passwd_helper=no +fi + +case "$with_passwd_helper" in + ""|no) : ;; + /*) + AC_DEFINE_UNQUOTED(PASSWD_HELPER_PROGRAM, "$with_passwd_helper", [Full pathname of password helper application]) + have_passwd_helper=yes;; + *) + echo "error: --with-passwd-helper needs full pathname of helper (not '$with_passwd_helper')." >&2 + exit 1 +esac +AM_CONDITIONAL(HAVE_PASSWD_HELPER, test x$have_passwd_helper = xyes) +AC_SUBST(HAVE_PASSWD_HELPER) + +dnl --------------------------------------------------------------------------- +dnl Authentication scheme +dnl --------------------------------------------------------------------------- + +AC_ARG_ENABLE(authentication-scheme, + [ --enable-authentication-scheme=[auto/pam/helper] Choose a specific + authentication scheme [default=auto]],, + enable_authentication_scheme=auto) + +AUTH_SCHEME="auth-pam" + +if test x$enable_authentication_scheme = xpam -a x$have_pam = xno ; then + AC_MSG_ERROR(PAM support requested but not available) +fi +if test x$enable_authentication_scheme = xhelper -a x$have_passwd_helper = xno ; then + AC_MSG_ERROR(Password helper support requested but not available) +fi + +if test x$enable_authentication_scheme = xpam ; then + AUTH_SCHEME="pam" +elif test x$enable_authentication_scheme = xhelper ; then + AUTH_SCHEME="helper" +elif test x$enable_authentication_scheme = xauto ; then + if test x$have_pam != xno ; then + AUTH_SCHEME="pam" + elif test x$have_passwd_helper != xno ; then + AUTH_SCHEME="helper" + fi +else + AC_MSG_ERROR(Unknown authentication scheme) +fi + +AC_SUBST(AUTH_SCHEME) + dnl --------------------------------------------------------------------------- dnl libgnomekbd dnl --------------------------------------------------------------------------- @@ -731,6 +800,9 @@ echo " Screen locking enabled: ${enable_locking} Show keyboard indicator: ${with_kbd_layout_indicator} PAM prefix: ${PAM_PREFIX} + Have password helper: ${have_passwd_helper} + Authentication scheme: ${AUTH_SCHEME}" + -" +echo "" Index: gnome-screensaver-2.91.91/src/Makefile.am =================================================================== --- gnome-screensaver-2.91.91.orig/src/Makefile.am +++ gnome-screensaver-2.91.91/src/Makefile.am @@ -63,6 +63,11 @@ gnome_screensaver_command_LDADD = \ $(GNOME_SCREENSAVER_COMMAND_LIBS) \ $(NULL) +AUTH_SOURCES = \ + gs-auth.h \ + gs-auth-@AUTH_SCHEME@.c \ + $(NULL) + test_fade_SOURCES = \ test-fade.c \ gs-fade.c \ @@ -78,8 +83,7 @@ test_fade_LDADD = \ test_passwd_SOURCES = \ test-passwd.c \ - gs-auth.h \ - gs-auth-pam.c \ + $(AUTH_SOURCES) \ setuid.c \ setuid.h \ subprocs.c \ @@ -136,8 +140,13 @@ gnome_screensaver_dialog_SOURCES = \ setuid.h \ subprocs.c \ subprocs.h \ - gs-auth.h \ - gs-auth-pam.c \ + $(AUTH_SOURCES) \ + $(NULL) + +EXTRA_gnome_screensaver_dialog_SOURCES = \ + gs-auth-pam.c \ + gs-auth-helper.c \ + gs-auth-pwent.c \ $(NULL) gnome_screensaver_dialog_LDADD = \ Index: gnome-screensaver-2.91.91/src/gs-auth-helper.c =================================================================== --- /dev/null +++ gnome-screensaver-2.91.91/src/gs-auth-helper.c @@ -0,0 +1,198 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- + * + * written by Olaf Kirch <okir@suse.de> + * xscreensaver, Copyright (c) 1993-2004 Jamie Zawinski <jwz@jwz.org> + * + * Permission to use, copy, modify, distribute, and sell this software and its + * documentation for any purpose is hereby granted without fee, provided that + * the above copyright notice appear in all copies and that both that + * copyright notice and this permission notice appear in supporting + * documentation. No representations are made about the suitability of this + * software for any purpose. It is provided "as is" without express or + * implied warranty. + */ + +/* The idea here is to be able to run gnome-screensaver-dialog without any setuid bits. + * Password verification happens through an external program that you feed + * your password to on stdin. The external command is invoked with a user + * name argument. + * + * The external helper does whatever authentication is necessary. Currently, + * SuSE uses "unix2_chkpwd", which is a variation of "unix_chkpwd" from the + * PAM distribution. + * + * Normally, the password helper should just authenticate the calling user + * (i.e. based on the caller's real uid). This is in order to prevent + * brute-forcing passwords in a shadow environment. A less restrictive + * approach would be to allow verifying other passwords as well, but always + * with a 2 second delay or so. (Not sure what SuSE's "unix2_chkpwd" + * currently does.) + * -- Olaf Kirch <okir@suse.de>, 16-Dec-2003 + */ + +#include "config.h" + +#include <stdlib.h> +#ifdef HAVE_UNISTD_H +# include <unistd.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <sys/types.h> +#include <pwd.h> +#include <errno.h> +#include <sys/wait.h> + +#include <glib.h> +#include <glib/gstdio.h> + +#include "gs-auth.h" +#include "subprocs.h" + +static gboolean verbose_enabled = FALSE; + +GQuark +gs_auth_error_quark (void) +{ + static GQuark quark = 0; + if (! quark) { + quark = g_quark_from_static_string ("gs_auth_error"); + } + + return quark; +} + +void +gs_auth_set_verbose (gboolean enabled) +{ + verbose_enabled = enabled; +} + +gboolean +gs_auth_get_verbose (void) +{ + return verbose_enabled; +} + +static gboolean +ext_run (const char *user, + const char *typed_passwd, + gboolean verbose) +{ + int pfd[2], status; + pid_t pid; + + if (pipe (pfd) < 0) { + return 0; + } + + if (verbose) { + g_message ("ext_run (%s, %s)", + PASSWD_HELPER_PROGRAM, user); + } + + block_sigchld (); + + if ((pid = fork ()) < 0) { + close (pfd [0]); + close (pfd [1]); + return FALSE; + } + + if (pid == 0) { + close (pfd [1]); + if (pfd [0] != 0) { + dup2 (pfd [0], 0); + } + + /* Helper is invoked as helper service-name [user] */ + execlp (PASSWD_HELPER_PROGRAM, PASSWD_HELPER_PROGRAM, "gnome-screensaver", user, NULL); + if (verbose) { + g_message ("%s: %s", PASSWD_HELPER_PROGRAM, g_strerror (errno)); + } + + exit (1); + } + + close (pfd [0]); + + /* Write out password to helper process */ + if (!typed_passwd) { + typed_passwd = ""; + } + write (pfd [1], typed_passwd, strlen (typed_passwd)); + close (pfd [1]); + + while (waitpid (pid, &status, 0) < 0) { + if (errno == EINTR) { + continue; + } + + if (verbose) { + g_message ("ext_run: waitpid failed: %s\n", + g_strerror (errno)); + } + + unblock_sigchld (); + return FALSE; + } + + unblock_sigchld (); + + if (! WIFEXITED (status) || WEXITSTATUS (status) != 0) { + return FALSE; + } + + return TRUE; +} + +gboolean +gs_auth_verify_user (const char *username, + const char *display, + GSAuthMessageFunc func, + gpointer data, + GError **error) +{ + gboolean res = FALSE; + char *password; + + password = NULL; + + /* ask for the password for user */ + if (func != NULL) { + func (GS_AUTH_MESSAGE_PROMPT_ECHO_OFF, + "Password: ", + &password, + data); + } + + if (password == NULL) { + return FALSE; + } + + res = ext_run (username, password, gs_auth_get_verbose ()); + + return res; +} + +gboolean +gs_auth_init (void) +{ + return TRUE; +} + +gboolean +gs_auth_priv_init (void) +{ + /* Make sure the passwd helper exists */ + if (g_access (PASSWD_HELPER_PROGRAM, X_OK) < 0) { + g_warning ("%s does not exist. " + "password authentication via " + "external helper will not work.", + PASSWD_HELPER_PROGRAM); + return FALSE; + } + + return TRUE; +}
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor