Bug 90276 - xlockmore port improvements patch
Summary: xlockmore port improvements patch
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-12 13:00 UTC by Yuri Bushmelev
Modified: 2005-12-13 06:20 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yuri Bushmelev 2005-12-12 13:00:10 UTC 
	Some time ago I send PR about PAM support in xlockmore. Now I spend
	some time to work on xlockmore. I found that PAM works fine by default
	(with --enable-pam), but only with modules that does not
	requires root rights to authenticate. But almost all PAM configurations
	ends with pam_unix call. Here is the trouble. xlock drops root
	privileges after startup. I use BAD_PAM again to wrap this setuid().
	IMHO, usage of BAD_PAM is right in this case. Also abort trap was
	fixed. Here was error in PAM_conv function. I'll send explanations of
	changes and situation to xlock-discuss mailing list later. May be
	fixes will be committed into next release of xlockmore.

	Here is attached diff against xlockmore port. It makes some changes in
	Makefile and drops two patches to files dir.

	New knobs added to Makefile and some old changed. Here is the
	description:
	- OPTIONS added for interactive configuration of xlockmore
	(make config).
	- WITH_PAM - enable common PAM support in xlock, but does not define
	BAD_PAM. So PAM modules that does not require root rights can be used
	(pam_pwdfile e.g.).
	- WITH_BAD_PAM - enable WITH_PAM and define BAD_PAM in config.h after
	'configure'. So all PAM modules can be used, including pam_unix.
	- WITH_NICE_ONLY - enable only low-CPU modes. Good for old machines.
	- WITH_BLANK_ONLY - enable only 'blank' mode. Can be useful in some
	cases.

	Please check this and commit changes.

Fix: 

-- 
With best regards,
Yuri Bushmelev a.k.a. Jay--ltTRXyUjpscQULCXcR809Vg7BTc742MUzeZ4yqD6EGRuuCzg
Content-Type: text/plain; name="diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="diff"

diff -urN ../x11/xlockmore/Makefile xlockmore/Makefile
--- ../x11/xlockmore/Makefile	Thu Nov 24 20:20:14 2005
+++ xlockmore/Makefile	Mon Dec 12 15:19:15 2005
@@ -35,6 +35,15 @@
 USE_XPM=	yes
 MAN1=		xlock.1
 
+OPTIONS=MESAGL			"Enable Mesa 3D (for GL modes)"		off \
+	MB			"Enable Xmb function series"		off \
+	SYSLOG			"Enable syslog logging"			off \
+	DISABLE_ALLOW_ROOT	"Allows users to turn off allowroot"	off \
+	NICE_ONLY		"Enable only low cpu modes"		off \
+	BLANK_ONLY		"Enable blank mode only (boring)"	off \
+	PAM			"Enable PAM authentication support"	off \
+	BAD_PAM			"Xlock will ask PAM with root rights"	off
+
 .include <bsd.port.pre.mk>
 
 .if ${ARCH} == amd64
@@ -50,12 +59,24 @@
 CONFIGURE_ARGS+=	--without-mesa --without-opengl
 .endif
 
+.if defined(WITH_BAD_PAM) && !defined(WITH_PAM)
+WITH_PAM=	yes
+.endif
+
 .if defined(WITH_PAM)
 CONFIGURE_ARGS+=	--enable-pam
 .endif
 
+.if defined(WITH_NICE_ONLY)
+CONFIGURE_ARGS+=	--enable-nice-only
+.endif
+
+.if defined(WITH_BLANK_ONLY)
+CONFIGURE_ARGS+=	--enable-blank-only
+.endif
+
 .if defined(WITH_MB)
-CONFIGURE_ARGS+=	--enable-use_mb
+CONFIGURE_ARGS+=	--enable-use-mb
 .endif
 
 .if defined(XLOCKMORE_LANG)
@@ -72,9 +93,21 @@
 CONFIGURE_ARGS+=	--disable-allow-root
 .endif
 
-.if ${X_WINDOW_SYSTEM:L} != xfree86-3
+.if defined(WITH_PAM) && !defined (WITH_BAD_PAM)
+pre-extract:
+	@${ECHO}
+	@${ECHO} "You have enabled PAM support. If you want to authenticate against"
+	@${ECHO} "root only accessible PAM modules then define WITH_BAD_PAM=yes also."
+	@${ECHO} "For example, pam_unix requires root rights to access shadow passwords."
+	@${ECHO}
+.endif
+
 post-configure:
+.if ${X_WINDOW_SYSTEM:L} != xfree86-3
 	${REINPLACE_CMD} -e 's/-lXdpms//g' ${WRKSRC}/modes/Makefile
+.endif
+.if defined(WITH_BAD_PAM)
+	 ${REINPLACE_CMD} -e 's|/\* #define BAD_PAM \*/|#define BAD_PAM|g' ${WRKSRC}/config.h
 .endif
 
 PLIST_FILES=	bin/xlock lib/X11/app-defaults/XLock
diff -urN ../x11/xlockmore/files/patch-pam-passwd.c xlockmore/files/patch-pam-passwd.c
--- ../x11/xlockmore/files/patch-pam-passwd.c	Thu Jan  1 03:00:00 1970
+++ xlockmore/files/patch-pam-passwd.c	Mon Dec 12 15:18:03 2005
@@ -0,0 +1,62 @@
+--- ../xlockmore-5.20.1.orig/xlock/passwd.c	Mon Sep 26 17:11:20 2005
++++ xlock/passwd.c	Mon Dec 12 15:04:31 2005
+@@ -304,6 +304,16 @@
+ 	reply = (struct pam_response *) malloc(sizeof (struct pam_response) *
+ 					       num_msg);
+ 
++// reply[] members is not initialized!
++// As a result - abort trap when PAM tries to free reply structure
++// after PAM_ERROR_MSG processing.
++
++// So I just initialize reply here with default values and drop
++// initialization from code below (if code matches).
++
++	reply[replies].resp_retcode = PAM_SUCCESS; // be optimistic
++	reply[replies].resp = NULL;
++
+ 	if (!reply)
+ 		return PAM_CONV_ERR;
+ 
+@@ -325,7 +335,6 @@
+ 			  }
+ 			  else
+ 			  {
+-			    reply[replies].resp_retcode = PAM_SUCCESS;
+ 			    reply[replies].resp = COPY_STRING(PAM_password);
+ 			  }
+ #ifdef DEBUG
+@@ -340,11 +349,6 @@
+ 			  {
+ 			    PAM_putText( msg[replies], &reply[replies], False );
+ 			  }
+-			  else
+-			  {
+-			    reply[replies].resp_retcode = PAM_SUCCESS;
+-			    reply[replies].resp = NULL;
+-			  }
+ #ifdef DEBUG
+ 			        (void) printf( "Back From PAM_putText: PAM_PROMPT_ECHO_ON\n" );
+ 			        (void) printf( "Response is: (%s)\n, Return Code is: (%d)\n",
+@@ -357,11 +361,7 @@
+ 			  {
+ 			    PAM_putText( msg[replies], &reply[replies], False );
+ 			  }
+-			  else
+-			  {
+-			    reply[replies].resp_retcode = PAM_SUCCESS;
+-			    reply[replies].resp = NULL;
+-			  }
++				/* PAM frees resp */
+ #ifdef DEBUG
+ 			        (void) printf( "Back From PAM_putText: PAM_PROMPT_ECHO_ON\n" );
+ 			        (void) printf( "Response is: (%s)\n, Return Code is: (%d)\n",
+@@ -1205,8 +1205,7 @@
+ 	pam_error = pam_authenticate(pamh, 0);
+ 	if (pam_error != PAM_SUCCESS) {
+                 if (!allowroot) {
+-                        pam_end(pamh, 0);
+-                        return False;
++					PAM_BAIL;
+                 }
+ 
+ 		/* Try as root; bail if no success there either */
diff -urN ../x11/xlockmore/files/patch-pam-xlock.c xlockmore/files/patch-pam-xlock.c
--- ../x11/xlockmore/files/patch-pam-xlock.c	Thu Jan  1 03:00:00 1970
+++ xlockmore/files/patch-pam-xlock.c	Mon Dec 12 15:18:03 2005
@@ -0,0 +1,17 @@
+--- ../xlockmore-5.20.1.orig/xlock/xlock.c	Thu Oct 27 04:09:29 2005
++++ xlock/xlock.c	Mon Dec 12 14:56:05 2005
+@@ -3316,7 +3316,14 @@
+ #ifdef USE_VTLOCK
+ 	if (!vtlock)
+ #endif
++#ifdef BAD_PAM
++		(void) seteuid(ruid);
++#else
+ 		(void) setuid(ruid);
++#endif
++// #ifdef BAD_PAM ... #endif above will be added to prevent xlock from
++// dropping privileges when using PAM modules, that needs root rights
++// (pam_unix e.g.)
+ 
+ #if 0
+ 	/* synchronize -- so I am aware of errors immediately */
How-To-Repeat: 	N/A
Comment 1 Simon Barner freebsd_committer freebsd_triage 2005-12-12 13:10:21 UTC 
Have thought about become the maintainer of this port?

-- 
Best regards / Viele Grüße,                             barner@FreeBSD.org
 Simon Barner                                                barner@gmx.de
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2005-12-12 21:18:31 UTC 
State Changed
From-To: open->closed

Committed, thanks!
Comment 3 Yuri Bushmelev 2005-12-13 06:17:28 UTC 
On Mon, 12 Dec 2005 14:10:21 +0100
Simon Barner <barner@FreeBSD.org> wrote:

> Have thought about become the maintainer of this port?

Sorry, but right now I have no enough time for this. May be later..
Thank you for offering :)

-- 
With best regards,
Yuri Bushmelev a.k.a. Jay