diff options
author | Drew DeVault <sir@cmpwn.com> | 2018-09-28 12:18:54 +0200 |
---|---|---|
committer | Drew DeVault <sir@cmpwn.com> | 2018-09-28 13:53:01 +0200 |
commit | c9773491207d36d6f5e651adcb7a64c7a015bba3 (patch) | |
tree | ed2d195ac03609bdb1b3132d1ef748ad59132e8a /swaylock/pam.c | |
parent | Merge pull request #2717 from ianyfan/tablet-config (diff) | |
download | sway-c9773491207d36d6f5e651adcb7a64c7a015bba3.tar.gz sway-c9773491207d36d6f5e651adcb7a64c7a015bba3.tar.zst sway-c9773491207d36d6f5e651adcb7a64c7a015bba3.zip |
Add support for building swaylock without PAM
This involves setuid'ing swaylock, which then forks and drops perms on
the parent process. The child process remains root and listens on a pipe
for requests to validate passwords against /etc/shadow.
Diffstat (limited to 'swaylock/pam.c')
-rw-r--r-- | swaylock/pam.c | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/swaylock/pam.c b/swaylock/pam.c new file mode 100644 index 00000000..cac95a85 --- /dev/null +++ b/swaylock/pam.c | |||
@@ -0,0 +1,62 @@ | |||
1 | #define _XOPEN_SOURCE 500 | ||
2 | #include <pwd.h> | ||
3 | #include <security/pam_appl.h> | ||
4 | #include <stdbool.h> | ||
5 | #include <stdlib.h> | ||
6 | #include <string.h> | ||
7 | #include <unistd.h> | ||
8 | #include <wlr/util/log.h> | ||
9 | #include "swaylock/swaylock.h" | ||
10 | |||
11 | void initialize_pw_backend(void) { | ||
12 | // TODO: only call pam_start once. keep the same handle the whole time | ||
13 | } | ||
14 | |||
15 | static int function_conversation(int num_msg, const struct pam_message **msg, | ||
16 | struct pam_response **resp, void *data) { | ||
17 | struct swaylock_password *pw = data; | ||
18 | /* PAM expects an array of responses, one for each message */ | ||
19 | struct pam_response *pam_reply = calloc( | ||
20 | num_msg, sizeof(struct pam_response)); | ||
21 | *resp = pam_reply; | ||
22 | for (int i = 0; i < num_msg; ++i) { | ||
23 | switch (msg[i]->msg_style) { | ||
24 | case PAM_PROMPT_ECHO_OFF: | ||
25 | case PAM_PROMPT_ECHO_ON: | ||
26 | pam_reply[i].resp = strdup(pw->buffer); // PAM clears and frees this | ||
27 | break; | ||
28 | case PAM_ERROR_MSG: | ||
29 | case PAM_TEXT_INFO: | ||
30 | break; | ||
31 | } | ||
32 | } | ||
33 | return PAM_SUCCESS; | ||
34 | } | ||
35 | |||
36 | bool attempt_password(struct swaylock_password *pw) { | ||
37 | struct passwd *passwd = getpwuid(getuid()); | ||
38 | char *username = passwd->pw_name; | ||
39 | const struct pam_conv local_conversation = { | ||
40 | function_conversation, pw | ||
41 | }; | ||
42 | pam_handle_t *local_auth_handle = NULL; | ||
43 | int pam_err; | ||
44 | if ((pam_err = pam_start("swaylock", username, | ||
45 | &local_conversation, &local_auth_handle)) != PAM_SUCCESS) { | ||
46 | wlr_log(WLR_ERROR, "PAM returned error %d", pam_err); | ||
47 | } | ||
48 | if ((pam_err = pam_authenticate(local_auth_handle, 0)) != PAM_SUCCESS) { | ||
49 | wlr_log(WLR_ERROR, "pam_authenticate failed"); | ||
50 | goto fail; | ||
51 | } | ||
52 | // TODO: only call pam_end once we succeed at authing. refresh tokens beforehand | ||
53 | if ((pam_err = pam_end(local_auth_handle, pam_err)) != PAM_SUCCESS) { | ||
54 | wlr_log(WLR_ERROR, "pam_end failed"); | ||
55 | goto fail; | ||
56 | } | ||
57 | clear_password_buffer(pw); | ||
58 | return true; | ||
59 | fail: | ||
60 | clear_password_buffer(pw); | ||
61 | return false; | ||
62 | } | ||