I have sway-1.5 installed on FreeBSD 12.1 (amd64) host. It's built with following options: MANPAGES : on PIXBUF : on When I lock screen with `swaylock -d` started in Alacritty, I expect to type my user password to unlock, but turns out any password works :/ No changes are made to its PAM configuration: ================================================================================ # # PAM configuration file for the swaylock screen locker. By default, it includes # the 'login' configuration file (see /etc/pam.d/login) # auth include login ================================================================================ Contents of /etc/pam.d/login: ================================================================================# # $FreeBSD: releng/12.1/lib/libpam/pam.d/login 170510 2007-06-10 18:57:20Z yar $ # # PAM configuration for the "login" service # # auth auth sufficient pam_self.so no_warn auth include system # account account requisite pam_securetty.so account required pam_nologin.so account include system # session session include system # password password include system ================================================================================ Thanks in advance
If I understand this correctly, the use of pam_self in pam.d/login means that a process already running under user X will always succeed in authenticating as user X, which is obviously not intended in this case. Maybe it should use "auth include system" rather than "auth include login" ?
See https://github.com/swaywm/swaylock/commit/dee002155b91 If you need working locker try x11-wm/hikari (CC raichoo@). No clue if its locker can be made to work on other compositors. From: Jan Beich To: Fredrik Subject: Re: x11/swaylock Date: Wed, 27 Feb 2019 20:16:18 +0100 Fredrik writes: > Hi, > > You're the maintainer of the x11/swaylock port, do you use it? If so, how? No. I've simply created separate ports for whatever was split off x11-wm/sway by upstream. File a bug if you want to maintain this port. > It includes /usr/local/etc/pam.d/swaylock that has this, > > auth include passwd > > However, there are no auth facilities specified in /etc/pam.d/passwd and it > explicitly mentions that. So, with my vague understanding of PAM, the > /usr/local/etc/pam.d/swaylock config is unused and it will instead fall > back to /etc/pam.d/other and auth will fail since we're not running as root > and thus aren't allowed to authenticate the user with its corresponding > password. Better report upstream. I'm not a Unix admin, so haven't touched PAM in years. Maybe PAM auth on FreeBSD requires root permissions. See also https://github.com/swaywm/swaylock/issues/3#issuecomment-446575951 Index: x11/swaylock/Makefile =================================================================== --- x11/swaylock/Makefile (revision 494077) +++ x11/swaylock/Makefile (working copy) @@ -2,6 +2,7 @@ PORTNAME= swaylock DISTVERSION= 1.3 +PORTREVISION= 1 CATEGORIES= x11 MAINTAINER= jbeich@FreeBSD.org @@ -19,7 +20,7 @@ USE_GITHUB= yes GH_ACCOUNT= swaywm USE_GNOME= cairo pango MESON_ARGS= -Dswaylock-version="${DISTVERSIONFULL}" -PLIST_FILES= bin/${PORTNAME} \ +PLIST_FILES= "@(,,4755) bin/${PORTNAME}" \ etc/pam.d/${PORTNAME} \ share/bash-completion/completions/${PORTNAME} \ share/fish/completions/${PORTNAME}.fish \ Index: x11/swaylock/files/patch-pam.c =================================================================== --- x11/swaylock/files/patch-pam.c (nonexistent) +++ x11/swaylock/files/patch-pam.c (working copy) @@ -0,0 +1,17 @@ +--- pam.c.orig 2019-01-29 19:48:00 UTC ++++ pam.c +@@ -12,12 +12,14 @@ + static char *pw_buf = NULL; + + void initialize_pw_backend(int argc, char **argv) { ++#ifdef __linux__ + if (getuid() != geteuid() || getgid() != getegid()) { + swaylock_log(LOG_ERROR, + "swaylock is setuid, but was compiled with the PAM" + " backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]); + exit(EXIT_FAILURE); + } ++#endif + if (!spawn_comm_child()) { + exit(EXIT_FAILURE); + }
(In reply to Jan Beich from comment #2) Hi Jan, Your patch (+ sed-ing etc/pam.d/swaylock with /^auth/s/login/system/) works. Thanks!
A commit references this bug: Author: jbeich Date: Fri Jul 17 22:12:30 UTC 2020 New revision: 542450 URL: https://svnweb.freebsd.org/changeset/ports/542450 Log: x11/swaylock: unbreak PAM locking Since 1.5 it includes "login" service which doesn't ask for password from user running Wayland session. Before pam_authenticate(3) failed with PAM_AUTH_ERR due to missing permissions password database. PR: 248053 Reported by: many Submitted by: andrew|_|tao11.riddles.org.uk, jbeich Tested by: ashish Changes: head/x11/swaylock/Makefile head/x11/swaylock/files/ head/x11/swaylock/files/patch-pam.c head/x11/swaylock/files/patch-pam_swaylock
A commit references this bug: Author: jbeich Date: Fri Jul 17 22:14:24 UTC 2020 New revision: 542451 URL: https://svnweb.freebsd.org/changeset/ports/542451 Log: MFH: r542450 x11/swaylock: unbreak PAM locking Since 1.5 it includes "login" service which doesn't ask for password from user running Wayland session. Before pam_authenticate(3) failed with PAM_AUTH_ERR due to missing permissions password database. PR: 248053 Reported by: many Submitted by: andrew|_|tao11.riddles.org.uk, jbeich Tested by: ashish Approved by: ports-secteam blanket Changes: _U branches/2020Q3/ branches/2020Q3/x11/swaylock/Makefile branches/2020Q3/x11/swaylock/files/
Thanks for the help.
A commit references this bug: Author: jbeich Date: Fri Jul 17 22:34:39 UTC 2020 New revision: 542454 URL: https://svnweb.freebsd.org/changeset/ports/542454 Log: x11/swaylock: limit root to authenticating child process Taken from initialize_pw_backend in shadow.c. PR: 248053 Changes: head/x11/swaylock/Makefile head/x11/swaylock/files/patch-pam.c
A commit references this bug: Author: jbeich Date: Fri Jul 17 22:35:20 UTC 2020 New revision: 542455 URL: https://svnweb.freebsd.org/changeset/ports/542455 Log: MFH: r542454 x11/swaylock: limit root to authenticating child process Taken from initialize_pw_backend in shadow.c. PR: 248053 Approved by: ports-secteam blanket Changes: _U branches/2020Q3/ branches/2020Q3/x11/swaylock/Makefile branches/2020Q3/x11/swaylock/files/patch-pam.c