Bug 248053

Summary: x11/swaylock: Able to unlock screen with any password
Product: Ports & Packages Reporter: Ashish SHUKLA <ashish>
Component: Individual Port(s)Assignee: Jan Beich <jbeich>
Status: Closed FIXED    
Severity: Affects Only Me CC: andrew, raichoo
Priority: --- Flags: jbeich: maintainer-feedback+
jbeich: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   

Description Ashish SHUKLA freebsd_committer freebsd_triage 2020-07-17 20:18:43 UTC 
I have sway-1.5 installed on FreeBSD 12.1 (amd64) host. It's built with following options:

	MANPAGES       : on
	PIXBUF         : on

When I lock screen with `swaylock -d` started in Alacritty, I expect to type my user password to unlock, but turns out any password works :/

No changes are made to its PAM configuration:

================================================================================
#
# PAM configuration file for the swaylock screen locker. By default, it includes
# the 'login' configuration file (see /etc/pam.d/login)
#

auth include login
================================================================================

Contents of /etc/pam.d/login:

================================================================================#
# $FreeBSD: releng/12.1/lib/libpam/pam.d/login 170510 2007-06-10 18:57:20Z yar $
#
# PAM configuration for the "login" service
#

# auth
auth		sufficient	pam_self.so		no_warn
auth		include		system

# account
account		requisite	pam_securetty.so
account		required	pam_nologin.so
account		include		system

# session
session		include		system

# password
password	include		system
================================================================================

Thanks in advance
Comment 1 Andrew "RhodiumToad" Gierth 2020-07-17 20:40:23 UTC 
If I understand this correctly, the use of pam_self in pam.d/login means that a process already running under user X will always succeed in authenticating as user X, which is obviously not intended in this case.

Maybe it should use "auth include system" rather than "auth include login" ?
Comment 2 Jan Beich freebsd_committer freebsd_triage 2020-07-17 20:44:40 UTC 
See https://github.com/swaywm/swaylock/commit/dee002155b91
If you need working locker try x11-wm/hikari (CC raichoo@). No clue if its locker can be made to work on other compositors.

From: Jan Beich
To: Fredrik
Subject: Re: x11/swaylock
Date: Wed, 27 Feb 2019 20:16:18 +0100

Fredrik writes:

> Hi,
>
> You're the maintainer of the x11/swaylock port, do you use it?  If so, how?

No. I've simply created separate ports for whatever was split off
x11-wm/sway by upstream. File a bug if you want to maintain this port.

> It includes /usr/local/etc/pam.d/swaylock that has this,
>
>   auth include passwd
>
> However, there are no auth facilities specified in /etc/pam.d/passwd and it
> explicitly mentions that.  So, with my vague understanding of PAM, the
> /usr/local/etc/pam.d/swaylock config is unused and it will instead fall
> back to /etc/pam.d/other and auth will fail since we're not running as root
> and thus aren't allowed to authenticate the user with its corresponding
> password.

Better report upstream. I'm not a Unix admin, so haven't touched PAM in years.
Maybe PAM auth on FreeBSD requires root permissions.

See also https://github.com/swaywm/swaylock/issues/3#issuecomment-446575951

Index: x11/swaylock/Makefile
===================================================================
--- x11/swaylock/Makefile	(revision 494077)
+++ x11/swaylock/Makefile	(working copy)
@@ -2,6 +2,7 @@
 
 PORTNAME=	swaylock
 DISTVERSION=	1.3
+PORTREVISION=	1
 CATEGORIES=	x11
 
 MAINTAINER=	jbeich@FreeBSD.org
@@ -19,7 +20,7 @@ USE_GITHUB=	yes
 GH_ACCOUNT=	swaywm
 USE_GNOME=	cairo pango
 MESON_ARGS=	-Dswaylock-version="${DISTVERSIONFULL}"
-PLIST_FILES=	bin/${PORTNAME} \
+PLIST_FILES=	"@(,,4755) bin/${PORTNAME}" \
 		etc/pam.d/${PORTNAME} \
 		share/bash-completion/completions/${PORTNAME} \
 		share/fish/completions/${PORTNAME}.fish \
Index: x11/swaylock/files/patch-pam.c
===================================================================
--- x11/swaylock/files/patch-pam.c	(nonexistent)
+++ x11/swaylock/files/patch-pam.c	(working copy)
@@ -0,0 +1,17 @@
+--- pam.c.orig	2019-01-29 19:48:00 UTC
++++ pam.c
+@@ -12,12 +12,14 @@
+ static char *pw_buf = NULL;
+ 
+ void initialize_pw_backend(int argc, char **argv) {
++#ifdef __linux__
+ 	if (getuid() != geteuid() || getgid() != getegid()) {
+ 		swaylock_log(LOG_ERROR,
+ 			"swaylock is setuid, but was compiled with the PAM"
+ 			" backend. Run 'chmod a-s %s' to fix. Aborting.", argv[0]);
+ 		exit(EXIT_FAILURE);
+ 	}
++#endif
+ 	if (!spawn_comm_child()) {
+ 		exit(EXIT_FAILURE);
+ 	}
Comment 3 Ashish SHUKLA freebsd_committer freebsd_triage 2020-07-17 21:01:44 UTC 
(In reply to Jan Beich from comment #2)

Hi Jan,

Your patch (+ sed-ing etc/pam.d/swaylock with /^auth/s/login/system/) works.

Thanks!
Comment 4 commit-hook freebsd_committer freebsd_triage 2020-07-17 22:13:01 UTC 
A commit references this bug:

Author: jbeich
Date: Fri Jul 17 22:12:30 UTC 2020
New revision: 542450
URL: https://svnweb.freebsd.org/changeset/ports/542450

Log:
  x11/swaylock: unbreak PAM locking

  Since 1.5 it includes "login" service which doesn't ask for password
  from user running Wayland session. Before pam_authenticate(3) failed
  with PAM_AUTH_ERR due to missing permissions password database.

  PR:		248053
  Reported by:	many
  Submitted by:	andrew|_|tao11.riddles.org.uk, jbeich
  Tested by:	ashish

Changes:
  head/x11/swaylock/Makefile
  head/x11/swaylock/files/
  head/x11/swaylock/files/patch-pam.c
  head/x11/swaylock/files/patch-pam_swaylock
Comment 5 commit-hook freebsd_committer freebsd_triage 2020-07-17 22:15:03 UTC 
A commit references this bug:

Author: jbeich
Date: Fri Jul 17 22:14:24 UTC 2020
New revision: 542451
URL: https://svnweb.freebsd.org/changeset/ports/542451

Log:
  MFH: r542450

  x11/swaylock: unbreak PAM locking

  Since 1.5 it includes "login" service which doesn't ask for password
  from user running Wayland session. Before pam_authenticate(3) failed
  with PAM_AUTH_ERR due to missing permissions password database.

  PR:		248053
  Reported by:	many
  Submitted by:	andrew|_|tao11.riddles.org.uk, jbeich
  Tested by:	ashish
  Approved by:	ports-secteam blanket

Changes:
_U  branches/2020Q3/
  branches/2020Q3/x11/swaylock/Makefile
  branches/2020Q3/x11/swaylock/files/
Comment 6 Jan Beich freebsd_committer freebsd_triage 2020-07-17 22:16:05 UTC 
Thanks for the help.
Comment 7 commit-hook freebsd_committer freebsd_triage 2020-07-17 22:35:10 UTC 
A commit references this bug:

Author: jbeich
Date: Fri Jul 17 22:34:39 UTC 2020
New revision: 542454
URL: https://svnweb.freebsd.org/changeset/ports/542454

Log:
  x11/swaylock: limit root to authenticating child process

  Taken from initialize_pw_backend in shadow.c.

  PR:		248053

Changes:
  head/x11/swaylock/Makefile
  head/x11/swaylock/files/patch-pam.c
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-07-17 22:36:12 UTC 
A commit references this bug:

Author: jbeich
Date: Fri Jul 17 22:35:20 UTC 2020
New revision: 542455
URL: https://svnweb.freebsd.org/changeset/ports/542455

Log:
  MFH: r542454

  x11/swaylock: limit root to authenticating child process

  Taken from initialize_pw_backend in shadow.c.

  PR:		248053
  Approved by:	ports-secteam blanket

Changes:
_U  branches/2020Q3/
  branches/2020Q3/x11/swaylock/Makefile
  branches/2020Q3/x11/swaylock/files/patch-pam.c