From c9773491207d36d6f5e651adcb7a64c7a015bba3 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Fri, 28 Sep 2018 12:18:54 +0200
Subject: Add support for building swaylock without PAM

This involves setuid'ing swaylock, which then forks and drops perms on
the parent process. The child process remains root and listens on a pipe
for requests to validate passwords against /etc/shadow.
---
 swaylock/password.c | 51 ---------------------------------------------------
 1 file changed, 51 deletions(-)

(limited to 'swaylock/password.c')

diff --git a/swaylock/password.c b/swaylock/password.c
index 7c686b34..6a956bcb 100644
--- a/swaylock/password.c
+++ b/swaylock/password.c
@@ -1,7 +1,6 @@
 #define _XOPEN_SOURCE 500
 #include <assert.h>
 #include <pwd.h>
-#include <security/pam_appl.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
@@ -11,27 +10,6 @@
 #include "swaylock/seat.h"
 #include "unicode.h"
 
-static int function_conversation(int num_msg, const struct pam_message **msg,
-		struct pam_response **resp, void *data) {
-	struct swaylock_password *pw = data;
-	/* PAM expects an array of responses, one for each message */
-	struct pam_response *pam_reply = calloc(
-			num_msg, sizeof(struct pam_response));
-	*resp = pam_reply;
-	for (int i = 0; i < num_msg; ++i) {
-		switch (msg[i]->msg_style) {
-		case PAM_PROMPT_ECHO_OFF:
-		case PAM_PROMPT_ECHO_ON:
-			pam_reply[i].resp = strdup(pw->buffer); // PAM clears and frees this
-			break;
-		case PAM_ERROR_MSG:
-		case PAM_TEXT_INFO:
-			break;
-		}
-	}
-	return PAM_SUCCESS;
-}
-
 void clear_password_buffer(struct swaylock_password *pw) {
 	// Use volatile keyword so so compiler can't optimize this out.
 	volatile char *buffer = pw->buffer;
@@ -42,35 +20,6 @@ void clear_password_buffer(struct swaylock_password *pw) {
 	pw->len = 0;
 }
 
-static bool attempt_password(struct swaylock_password *pw) {
-	struct passwd *passwd = getpwuid(getuid());
-	char *username = passwd->pw_name;
-	const struct pam_conv local_conversation = {
-		function_conversation, pw
-	};
-	pam_handle_t *local_auth_handle = NULL;
-	int pam_err;
-	// TODO: only call pam_start once. keep the same handle the whole time
-	if ((pam_err = pam_start("swaylock", username,
-					&local_conversation, &local_auth_handle)) != PAM_SUCCESS) {
-		wlr_log(WLR_ERROR, "PAM returned error %d", pam_err);
-	}
-	if ((pam_err = pam_authenticate(local_auth_handle, 0)) != PAM_SUCCESS) {
-		wlr_log(WLR_ERROR, "pam_authenticate failed");
-		goto fail;
-	}
-	// TODO: only call pam_end once we succeed at authing. refresh tokens beforehand
-	if ((pam_err = pam_end(local_auth_handle, pam_err)) != PAM_SUCCESS) {
-		wlr_log(WLR_ERROR, "pam_end failed");
-		goto fail;
-	}
-	clear_password_buffer(pw);
-	return true;
-fail:
-	clear_password_buffer(pw);
-	return false;
-}
-
 static bool backspace(struct swaylock_password *pw) {
 	if (pw->len != 0) {
 		pw->buffer[--pw->len] = 0;
-- 
cgit v1.2.3-54-g00ecf