Hello community, here is the log from the commit of package vlock for openSUSE:Factory checked in at 2014-02-19 07:25:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/vlock (Old) and /work/SRC/openSUSE:Factory/.vlock.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "vlock" Changes: -------- --- /work/SRC/openSUSE:Factory/vlock/vlock.changes 2011-10-12 16:17:14.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.vlock.new/vlock.changes 2014-02-19 07:25:40.000000000 +0100 @@ -1,0 +2,8 @@ +Mon Feb 17 13:11:59 UTC 2014 - [email protected] + +- add patch to use unix2_chkpwd to authenticate to avoid the need + to set vlock-main sgid shadow + * vlock-2.2.3-use-unix2_chkpwd.diff +- no longer require permissions, no special permissions are needed + +------------------------------------------------------------------- New: ---- vlock-2.2.3-use-unix2_chkpwd.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ vlock.spec ++++++ --- /var/tmp/diff_new_pack.ZARo8c/_old 2014-02-19 07:25:41.000000000 +0100 +++ /var/tmp/diff_new_pack.ZARo8c/_new 2014-02-19 07:25:41.000000000 +0100 @@ -1,7 +1,8 @@ # -# spec file for package vlock (Version 2.2.3) +# spec file for package vlock # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 B1 Systems GmbH, Vohburg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,22 +16,22 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild - Name: vlock BuildRequires: pam-devel Version: 2.2.3 -Release: 1 -PreReq: permissions -AutoReqProv: on -Group: System/Console -License: GPL-2.0+ +Release: 0 Url: http://cthulhu.c3d2.de/~toidinamai/vlock/vlock.html Summary: It allows you to lock your console display +License: GPL-2.0+ +Group: System/Console Source: %{name}-%{version}.tar.gz Source1: %{name}.pamd Patch0: vlock-2.2.2-security.diff +# PATCH-FEATURE-OPENSUSE vlock-2.2.3-use-unix2_chkpwd.diff +Patch1: vlock-2.2.3-use-unix2_chkpwd.diff +# for unix2_chkpwd +Requires: pam-modules BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -46,10 +47,12 @@ %prep %setup -q %patch0 +%patch1 -p1 %build # not a real configure script, can't use macro :-/ -./configure --prefix=%{_prefix} --libdir=%{_libdir} +./configure --prefix=%{_prefix} --libdir=%{_libdir} \ + --enable-unix2_chkpwd make %{?_smp_mflags} CFLAGS="%{optflags} -W -pedantic -std=gnu99" %install @@ -63,12 +66,6 @@ install -D -m 0755 modules/new.so %{buildroot}%{_libdir}/vlock/modules/new.so install -D -m 0755 modules/nosysrq.so %{buildroot}%{_libdir}/vlock/modules/nosysrq.so -%post -%set_permissions %{_sbindir}/vlock-main - -%verifyscript -%verify_permissions -e %{_sbindir}/vlock-main - %clean rm -rf %{buildroot} ++++++ vlock-2.2.3-use-unix2_chkpwd.diff ++++++ Subject: add the possibility to use external unix2_chkpwd program to authenticate Author: Stefan Seyfried <[email protected]> This adds the configure option "--enable-unix2_chkpwd" which uses external /sbin/unix2_chkpwd from pam-modules package to authenticate the user. The benefit is that vlock-main does not need sgid shadow to be able to read the crypted password, because this all is handled by unix2_chkpwd Index: b/Makefile =================================================================== --- a/Makefile +++ b/Makefile @@ -98,10 +98,11 @@ override CFLAGS += -Isrc vlock-main: vlock-main.o prompt.o auth-$(AUTH_METHOD).o console_switch.o util.o auth-pam.o: auth-pam.c prompt.h auth.h auth-shadow.o: auth-shadow.c prompt.h auth.h +auth-unix2_chkpwd.o: auth-unix2_chkpwd.c prompt.h auth.h prompt.o: prompt.c prompt.h vlock-main.o: vlock-main.c auth.h prompt.h util.h plugins.o: plugins.c tsort.h plugin.h plugins.h list.h util.h module.o : override CFLAGS += -DVLOCK_MODULE_DIR="\"$(MODULEDIR)\"" module.o: module.c plugin.h list.h util.h Index: b/configure =================================================================== --- a/configure +++ b/configure @@ -76,14 +76,14 @@ enable_feature() { ENABLE_PLUGINS="$2" ;; root-password) ENABLE_ROOT_PASSWORD="$2" ;; - pam|shadow) + pam|shadow|unix2_chkpwd) if [ "$2" = "yes" ] ; then if [ -n "$auth_method" ] && [ "$auth_method" != "$1" ] ; then - fatal_error "pam and shadow authentication are mutually exclusive" + fatal_error "pam, shadow and unix2_chkpwd authentication are mutually exclusive" fi AUTH_METHOD="$1" else fatal_error "cannot disable authentication" fi Index: b/src/auth-unix2_chkpwd.c =================================================================== --- /dev/null +++ b/src/auth-unix2_chkpwd.c @@ -0,0 +1,107 @@ +/* auth-unix2_chkpwd.c -- authentification routine for vlock, + * the VT locking program for linux + * using external unix2_chkpwd binary + * + * This code is copyright (C) 2014 Stefan Seyfried, based on auth-shadow + * which is copyright (C) 2007 Frank Benkstein, and is free + * software which is freely distributable under the terms of the + * GNU General Public License version 2, included as the file COPYING in this + * distribution. It is NOT public domain software, and any + * redistribution not permitted by the GNU General Public License is + * expressly forbidden without prior written permission from + * the author. + * + */ + +/* for crypt() */ +#define _XOPEN_SOURCE + +#ifndef __FreeBSD__ +/* for asprintf() */ +#define _GNU_SOURCE +#endif + +#include <stdbool.h> +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include <sys/types.h> +#include <sys/wait.h> +#include <pwd.h> +#include <errno.h> +#include "auth.h" +#include "prompt.h" + +bool auth(const char *user, struct timespec *timeout) +{ + char *pwd = NULL; + char *msg; + struct passwd *pw = NULL; + int pfd[2], status; + pid_t pid; + int result = false; + + /* format the prompt */ + if (asprintf(&msg, "%s's Password: ", user) < 0) + return false; + + pw = getpwnam(user); + if (! pw) + goto out; + + if ((pwd = prompt_echo_off(msg, timeout)) == NULL) + goto out; + + if (pipe(pfd) < 0) { + perror("vlock: pipe() failed"); + goto out; + } + + if ((pid = fork()) < 0) { + perror("vlock: fork() failed"); + close(pfd[0]); + close(pfd[1]); + goto out; + } + + if (pid == 0) { + close(pfd[1]); + if (pfd[0] != 0) + dup2(pfd[0], 0); + + /* Helper is invoked as helper service-name [user] */ + // printf("calling '/sbin/unix2_chkpwd vlock %s'\n", pw->pw_name); + execlp("/sbin/unix2_chkpwd", "/sbin/unix2_chkpwd", "vlock", pw->pw_name, NULL); + /* we should not come here! */ + perror("vlock: execlp(/sbin/unix2_chkpwd)"); + exit(1); + } + + close(pfd[0]); + /* Write out password to helper process */ + write(pfd[1], pwd, strlen(pwd)); + close(pfd[1]); + + while (waitpid(pid, &status, 0) < 0) { + if (errno == EINTR) + continue; + perror("vlock: waitpid() failed"); + goto out; + } + + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + fprintf(stderr, "vlock: Authentication error\n"); /* no sleep needed, unix2_chkpwd already does that */ + else + result = true; + +out: + /* free the password, free(NULL) is ok */ + free(pwd); + + /* free the prompt */ + free(msg); + + return result; +} -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
