On Mon, Nov 15, 2021 at 11:50:41AM +0100, Peter N. M. Hansteen wrote:
> On Sun, Nov 14, 2021 at 12:25:45PM +0100, Matthieu Herrb wrote:
> > On Sun, Nov 14, 2021 at 10:44:40AM +0100, Peter N. M. Hansteen wrote:
> > > On Sat, Nov 13, 2021 at 12:16:22PM +0100, Matthieu Herrb wrote:
> > > >
> > > > did I miss something or is this still pending ?
> > >
> > > I just tested, the problem unfortunately persists.
> >
> > Strange, it works for me... At least with Landry's patch the new
> > package should display the unlock dialog now that
> > /usr/local/libexec/xfce4-screensaver-dialog is not setuid anymore...
> >
> > Are you sure you built and installed the patched
> > xfce4-screensaver--4.16.0p0 package ?
> >
> > Is /usr/local/libexec/xfce4-screensaver-ask-pass properly installed
> > setgid auth ? are you using 'nosuid' on you /usr/local/partition ?
> >
> > Sorry for the newbie -like questions...
>
> A few oddities. My /usr/local was not nosuid, so I added the nosuid
> option to that partition's line in /etc/fstab and rebooted.
Hmm no, to have a chance to get a working xfce4-screensaver,
/usr/local should *not* be mounted nosuid (ie it should be mounted
suid, which is the default when no option is present).
>
> After the 5 minute timeout the screensaver kicked in and touching Ctrl
> gave me a password dialog, which however did not actually accept my password.
>
> Looking for the xfce4-screensaver-ask-pass binary I do not find it at all
> on my system. That's a bit odd isn't it?
Ok so you probably didn't install the patched version. And with
/usr/local mounted nosuid, the default helper
/usr/local/libexec/xfce4-screensaver-dialog starts (since its suid bit
is now ignored, and that was the root of the issue).
So to summarize: you should rebuild and install the patched version to
test.
cd /usr/ports/x11/xfce4/xfce4-screensaver
patch -p0 -E < /this/patch
doas make clean=all
doas make package FETCH_PACKAGES=
doas make install
I'm adding Landry's patch below for reference :
--
Matthieu Herrb
? patchesno
? xfce4-screensaver-askpass.diff
Index: Makefile
===================================================================
RCS file: /cvs/ports/x11/xfce4/xfce4-screensaver/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
--- Makefile 3 Jan 2021 17:34:23 -0000 1.11
+++ Makefile 1 Nov 2021 10:53:53 -0000
@@ -3,6 +3,7 @@
COMMENT = Xfce4 screensaver
XFCE_GOODIE = xfce4-screensaver
+REVISION = 0
# GPLv2
PERMIT_PACKAGE = Yes
@@ -32,7 +33,13 @@
FAKE_FLAGS = menudir=${PREFIX}/share/examples/xfce4-screensaver/xdg/menus
+CONFIGURE_ARGS += --with-passwd-helper=${LOCALBASE}/libexec/xfce4-screensaver-ask-pass
+
+post-build:
+ ${CC} ${CFLAGS} ${FILESDIR}/ask-pass.c -o ${WRKBUILD}/ask-pass
+
post-install:
+ ${INSTALL_PROGRAM} ${WRKBUILD}/ask-pass ${PREFIX}/libexec/xfce4-screensaver-ask-pass
@mv ${WRKINST}/etc/xdg/autostart \
${PREFIX}/share/examples/xfce4-screensaver/xdg/autostart
rm -Rf ${WRKINST}/etc/xdg
Index: files/ask-pass.c
===================================================================
RCS file: files/ask-pass.c
diff -N files/ask-pass.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/ask-pass.c 1 Nov 2021 10:53:53 -0000
@@ -0,0 +1,84 @@
+/* $OpenBSD$
+ * verifying typed passwords with bsd_auth(3)
+ *
+ * Copyright (c) 2009 Antoine Jacoutot <ajacou...@openbsd.org>
+ * Copyright (c) 2021 Landry Breuil <lan...@openbsd.org>
+ * Copyright (c) 2021 Natanael Copa <nc...@alpinelinux.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <signal.h>
+#include <err.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <sys/types.h>
+
+#include <login_cap.h>
+#include <bsd_auth.h>
+
+static void sighandler(int sig)
+{
+ if (sig > 0)
+ errx(sig, "caught signal %d", sig);
+}
+
+static void setup_signals(void)
+{
+ struct sigaction action;
+
+ memset((void *) &action, 0, sizeof(action));
+ action.sa_handler = sighandler;
+ action.sa_flags = SA_RESETHAND;
+ sigaction(SIGILL, &action, NULL);
+ sigaction(SIGTRAP, &action, NULL);
+ sigaction(SIGBUS, &action, NULL);
+ sigaction(SIGSEGV, &action, NULL);
+ action.sa_handler = SIG_IGN;
+ action.sa_flags = 0;
+ sigaction(SIGTERM, &action, NULL);
+ sigaction(SIGHUP, &action, NULL);
+ sigaction(SIGINT, &action, NULL);
+ sigaction(SIGQUIT, &action, NULL);
+ sigaction(SIGALRM, &action, NULL);
+}
+
+int
+main (int argc, const char *argv[]) {
+ char pass[8192];
+ int res, fd;
+
+ /* Make sure standard file descriptors are connected */
+ while ((fd = open("/dev/null", O_RDWR)) <= 2);
+ close(fd);
+
+ setup_signals();
+
+ char *user = getlogin();
+ if (user == NULL)
+ err (1, "failed to get login name");
+
+ int npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
+ if (npass < 0)
+ err(1, "error reading password");
+ pass[npass] = '\0';
+
+ /* authenticate */
+ res = auth_userokay((char *)user, NULL, "auth-xfce-screensaver", pass);
+
+ return !res;
+}
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/x11/xfce4/xfce4-screensaver/pkg/PLIST,v
retrieving revision 1.5
diff -u -r1.5 PLIST
--- pkg/PLIST 9 Nov 2020 17:57:59 -0000 1.5
+++ pkg/PLIST 1 Nov 2021 10:53:53 -0000
@@ -4,9 +4,12 @@
bin/xfce4-screensaver-configure
@bin bin/xfce4-screensaver-preferences
libexec/xfce4-screensaver/
-@mode u+s
-@bin libexec/xfce4-screensaver-dialog
+@mode g+s
+@group auth
+@bin libexec/xfce4-screensaver-ask-pass
+@group
@mode
+@bin libexec/xfce4-screensaver-dialog
@bin libexec/xfce4-screensaver-gl-helper
@bin libexec/xfce4-screensaver/floaters
@bin libexec/xfce4-screensaver/popsquares
