Bug#739629: slock: Should use PAM for authentication

Brad Jorsch Thu, 20 Feb 2014 08:21:51 -0800

Package: suckless-tools
Version: 40-1
Tags: patch

slock uses the password in /etc/shadow for authentication, which causes
problems for setups that use some other mechanism for login (NIS
passwords, fingerprint readers, etc) and have no password set in
/etc/shadow. It also means that slock can't do stuff like unlock the
gnome-keyring login password with pam_gnome_keyring.so.


The attached patch adds PAM support to slock in Debian following the
model of dmenu's xft support or tabbed's meta support. It seems the way
to apply this would be to quilt pop -a, then apply the patch, then quilt
push -a.

There is also a different patch from 2010 to do the same thing,[1] if
for some reason you don't like this one.

Upstream doesn't seem to like this idea much,[2][3][4][5] so I hope
Debian will pick it up.

 [1]: http://lists.suckless.org/dev/1011/6405.html
 [2]: http://lists.suckless.org/dev/1011/6407.html
 [3]: http://lists.suckless.org/dev/1011/6413.html
 [4]: http://lists.suckless.org/dev/1011/6414.html
 [5]: http://lists.suckless.org/dev/1011/6416.html

diff -urN suckless-tools-40/debian/local/slock.pam suckless-tools-40.tmp/debian/local/slock.pam
--- suckless-tools-40/debian/local/slock.pam	1969-12-31 19:00:00.000000000 -0500
+++ suckless-tools-40.tmp/debian/local/slock.pam	2014-02-20 09:48:52.386934433 -0500
@@ -0,0 +1,158 @@
+diff -ur slock/config.mk slock.pam/config.mk
+--- slock/config.mk	2014-02-20 09:44:54.222940891 -0500
++++ slock.pam/config.mk	2014-02-20 09:45:02.286940672 -0500
+@@ -7,15 +7,17 @@
+ PREFIX = /usr/local
+ 
+ # includes and libs
+-LIBS = -lc -lcrypt -lX11 -lXext
++LIBS = -lc -lpam -lX11 -lXext
+ 
+ # flags
+-CPPFLAGS += -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H -DCOLOR1=\"black\" -DCOLOR2=\"\#005577\"
++CPPFLAGS += -DVERSION=\"${VERSION}\" -DHAVE_PAM -DCOLOR1=\"black\" -DCOLOR2=\"\#005577\"
+ CFLAGS += -std=c99 -pedantic -Wall ${CPPFLAGS}
+ LDFLAGS += ${LIBS}
+ 
+ # On *BSD remove -DHAVE_SHADOW_H from CPPFLAGS and add -DHAVE_BSD_AUTH
+ # On OpenBSD and Darwin remove -lcrypt from LIBS
++# On Linux, remove -DHAVE_SHADOW_H from CPPFLAGS and add -DHAVE_PAM
++# On Linux, remove -lcrypt from LIBS and add -lpam
+ 
+ # compiler and linker
+ CC = cc
+diff -ur slock/Makefile slock.pam/Makefile
+--- slock/Makefile	2014-02-20 09:44:54.214940891 -0500
++++ slock.pam/Makefile	2014-02-20 09:46:34.526938171 -0500
+@@ -37,15 +37,11 @@
+ install: all
+ 	@echo installing executable file to ${DESTDIR}${PREFIX}/bin
+ 	mkdir -p ${DESTDIR}${PREFIX}/bin
+-	cp -f slock ${DESTDIR}${PREFIX}/bin
+-	chmod 755 ${DESTDIR}${PREFIX}/bin/slock
+-	chgrp shadow ${DESTDIR}${PREFIX}/bin/slock
+-	chmod g+s ${DESTDIR}${PREFIX}/bin/slock
+-	# debian specific
+-	mv ${DESTDIR}${PREFIX}/bin/slock ${DESTDIR}/${PREFIX}/bin/slock.default
++	cp -f slock ${DESTDIR}${PREFIX}/bin/slock.pam
++	chmod 755 ${DESTDIR}${PREFIX}/bin/slock.pam
+ 
+ uninstall:
+ 	@echo removing executable file from ${DESTDIR}${PREFIX}/bin
+-	rm -f ${DESTDIR}${PREFIX}/bin/slock
++	rm -f ${DESTDIR}${PREFIX}/bin/slock.pam
+ 
+ .PHONY: all options clean dist install uninstall
+diff -ur slock/slock.c slock.pam/slock.c
+--- slock/slock.c	2012-10-25 15:00:04.000000000 -0400
++++ slock.pam/slock.c	2014-02-20 09:45:02.286940672 -0500
+@@ -23,6 +23,10 @@
+ #include <bsd_auth.h>
+ #endif
+ 
++#if HAVE_PAM
++#include <security/pam_appl.h>
++#endif
++
+ typedef struct {
+ 	int screen;
+ 	Window root, win;
+@@ -44,7 +48,7 @@
+ 	exit(EXIT_FAILURE);
+ }
+ 
+-#ifndef HAVE_BSD_AUTH
++#if !defined(HAVE_BSD_AUTH) && !defined(HAVE_PAM)
+ static const char *
+ getpw(void) { /* only run as root */
+ 	const char *rval;
+@@ -74,8 +78,52 @@
+ }
+ #endif
+ 
++#ifdef HAVE_PAM
++static int
++pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *passwd) {
++    struct pam_response *reply = malloc(sizeof(struct pam_response));
++    if(reply == NULL)
++        return PAM_CONV_ERR;
++
++    reply->resp_retcode = 0;
++    reply->resp = strdup(passwd);
++    if(reply->resp == NULL) {
++        free(reply);
++        return PAM_CONV_ERR;
++    }
++
++    *resp = reply;
++    return PAM_SUCCESS;
++}
++
++static int
++pam_auth(const char *password) {
++    int retval;
++    pam_handle_t *pamh;
++    struct pam_conv pamc = {
++        pam_conversation, (void *)password
++    };
++
++    // Open PAM
++    retval = pam_start("slock", getenv("USER"), &pamc, &pamh);
++
++    // Authenticate user
++    if (retval == PAM_SUCCESS)
++        retval = pam_authenticate(pamh, 0);
++
++    // Check account status
++    if (retval == PAM_SUCCESS)
++        retval = pam_acct_mgmt(pamh, 0);
++
++    // Close PAM handle
++    pam_end(pamh, retval);
++
++    return (retval == PAM_SUCCESS ? 0 : 1);
++}
++#endif
++
+ static void
+-#ifdef HAVE_BSD_AUTH
++#if defined(HAVE_BSD_AUTH) || defined(HAVE_PAM)
+ readpw(Display *dpy)
+ #else
+ readpw(Display *dpy, const char *pws)
+@@ -113,6 +161,8 @@
+ 				passwd[len] = 0;
+ #ifdef HAVE_BSD_AUTH
+ 				running = !auth_userokay(getlogin(), NULL, "auth-xlock", passwd);
++#elif defined(HAVE_PAM)
++                                running = pam_auth(passwd);
+ #else
+ 				running = strcmp(crypt(passwd, pws), pws);
+ #endif
+@@ -233,7 +283,7 @@
+ 
+ int
+ main(int argc, char **argv) {
+-#ifndef HAVE_BSD_AUTH
++#if !defined(HAVE_BSD_AUTH) && !defined(HAVE_PAM)
+ 	const char *pws;
+ #endif
+ 	Display *dpy;
+@@ -247,7 +297,7 @@
+ 	if(!getpwuid(getuid()))
+ 		die("slock: no passwd entry for you");
+ 
+-#ifndef HAVE_BSD_AUTH
++#if !defined(HAVE_BSD_AUTH) && !defined(HAVE_PAM)
+ 	pws = getpw();
+ #endif
+ 
+@@ -273,7 +323,7 @@
+ 	}
+ 
+ 	/* Everything is now blank. Now wait for the correct password. */
+-#ifdef HAVE_BSD_AUTH
++#if defined(HAVE_BSD_AUTH) || defined(HAVE_PAM)
+ 	readpw(dpy);
+ #else
+ 	readpw(dpy, pws);
diff -urN suckless-tools-40/debian/patches/2003_transparent-makefiles.patch suckless-tools-40.pam/debian/patches/2003_transparent-makefiles.patch
--- suckless-tools-40/debian/patches/2003_transparent-makefiles.patch	2013-08-04 02:29:57.000000000 -0400
+++ suckless-tools-40.pam/debian/patches/2003_transparent-makefiles.patch	2014-02-20 09:40:58.394947285 -0500
@@ -467,7 +467,12 @@
  
  install: all
  	@echo installing executable file to ${DESTDIR}${PREFIX}/bin
-@@ -46,6 +44,6 @@ install: all
+@@ -43,9 +41,11 @@ install: all
+ 	chmod 755 ${DESTDIR}${PREFIX}/bin/slock
+ 	chgrp shadow ${DESTDIR}${PREFIX}/bin/slock
+ 	chmod g+s ${DESTDIR}${PREFIX}/bin/slock
++	# debian specific
++	mv ${DESTDIR}${PREFIX}/bin/slock ${DESTDIR}/${PREFIX}/bin/slock.default
  
  uninstall:
  	@echo removing executable file from ${DESTDIR}${PREFIX}/bin
diff -urN suckless-tools-40/debian/postinst suckless-tools-40.pam/debian/postinst
--- suckless-tools-40/debian/postinst	2013-07-27 10:59:33.000000000 -0400
+++ suckless-tools-40.pam/debian/postinst	2014-02-20 09:35:16.106956566 -0500
@@ -8,6 +8,8 @@
         update-alternatives --quiet --install /usr/bin/dmenu dmenu /usr/bin/dmenu.xft 50
         update-alternatives --quiet --install /usr/bin/tabbed tabbed /usr/bin/tabbed.default 100
         update-alternatives --quiet --install /usr/bin/tabbed tabbed /usr/bin/tabbed.meta 50
+        update-alternatives --quiet --install /usr/bin/slock slock /usr/bin/slock.default 100
+        update-alternatives --quiet --install /usr/bin/slock slock /usr/bin/slock.pam 50
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff -urN suckless-tools-40/debian/prerm suckless-tools-40.pam/debian/prerm
--- suckless-tools-40/debian/prerm	2013-06-12 11:03:42.000000000 -0400
+++ suckless-tools-40.pam/debian/prerm	2014-02-20 09:28:28.694967612 -0500
@@ -7,6 +7,8 @@
         update-alternatives --quiet --remove dmenu /usr/bin/dmenu.xft
         update-alternatives --quiet --remove tabbed /usr/bin/tabbed.default
         update-alternatives --quiet --remove tabbed /usr/bin/tabbed.meta
+        update-alternatives --quiet --remove slock /usr/bin/slock.default
+        update-alternatives --quiet --remove slock /usr/bin/slock.pam
         ;;
 
     upgrade|failed-upgrade)
diff -urN suckless-tools-40/debian/README.source suckless-tools-40.pam/debian/README.source
--- suckless-tools-40/debian/README.source	2013-09-07 07:27:27.000000000 -0400
+++ suckless-tools-40.pam/debian/README.source	2014-02-20 09:34:54.094957163 -0500
@@ -27,12 +27,13 @@
 into debian/local/ folder and also make sure you name the patch as
 tool.alternative.
 
-Two patches currently used to provide alternatives are
+Three patches currently used to provide alternatives are
 
  1. dmenu.xft : Provides xft support for dmenu
  2. tabbed.meta: use meta key as modifier key for tabbed
+ 3. slock.pam: Use PAM instead of /etc/shadow
 
-These patches are borrowed from respective tools suckless web site
+The first two patches are borrowed from respective tools suckless web site
 page[1][2]  and modified later to rename the binaries to same as the
 patch name to avoid collision with original tool.
 
diff -urN suckless-tools-40/debian/suckless-tools.lintian-overrides suckless-tools-40.pam/debian/suckless-tools.lintian-overrides
--- suckless-tools-40/debian/suckless-tools.lintian-overrides	2012-11-13 08:20:19.000000000 -0500
+++ suckless-tools-40.pam/debian/suckless-tools.lintian-overrides	2014-02-20 09:51:22.330930368 -0500
@@ -1 +1 @@
-suckless-tools: setgid-binary usr/bin/slock 2755 root/shadow
+suckless-tools: setgid-binary usr/bin/slock.default 2755 root/shadow
diff -urN suckless-tools-40/debian/suckless-tools.manpages suckless-tools-40.tmp/debian/suckless-tools.manpages
--- suckless-tools-40/debian/suckless-tools.manpages	2013-05-11 05:33:39.000000000 -0400
+++ suckless-tools-40.tmp/debian/suckless-tools.manpages	2014-02-20 09:57:59.786919591 -0500
@@ -2,6 +2,7 @@
 debian/manpages/sselp.1
 debian/manpages/lsx.1
 debian/manpages/swarp.1
-debian/manpages/slock.1
+debian/manpages/slock.default.1
+debian/manpages/slock.pam.1
 debian/manpages/dmenu_run.1
 debian/manpages/ssid.1
\ No newline at end of file
diff -urN suckless-tools-40/debian/manpages/slock.1 suckless-tools-40.tmp/debian/manpages/slock.1
--- suckless-tools-40/debian/manpages/slock.1	2012-11-13 08:20:19.000000000 -0500
+++ suckless-tools-40.tmp/debian/manpages/slock.1	1969-12-31 19:00:00.000000000 -0500
@@ -1,34 +0,0 @@
-.TH SLOCK 1 "2008-08-03" "0.9" "suckless-tools"
-
-.SH NAME
-slock \- simple screen locker
-
-.SH SYNOPSIS
-.B slock
-.RB [ \-v ]
-
-.SH DESCRIPTION
-.B slock
-is a simple screen locker utility for X.
-The screen will be kept in an inert state until
-the user types his password. In doing so there
-is no visual indication that anything is going on,
-except possibly a slight glow from the background.
-
-.SH OPTIONS
-.B slock
-prints its version when fed with \fB\-v\fR.
-
-.SH ENVIRONMENT
-.B slock
-uses DISPLAY to determine which display to act on.
-
-.SH SEE ALSO
-.B Homepage
-<\fIhttp://www.suckless.org/\fR>
-
-.SH AUTHOR
-slock was written by Anselm R. Garbe <\[email protected]\fR>.
-.PP
-This manual page was written by Daniel Baumann <\[email protected]\fR>,
-for the Debian project (but may be used by others).
diff -urN suckless-tools-40/debian/manpages/slock.default.1 suckless-tools-40.tmp/debian/manpages/slock.default.1
--- suckless-tools-40/debian/manpages/slock.default.1	1969-12-31 19:00:00.000000000 -0500
+++ suckless-tools-40.tmp/debian/manpages/slock.default.1	2012-11-13 08:20:19.000000000 -0500
@@ -0,0 +1,34 @@
+.TH SLOCK 1 "2008-08-03" "0.9" "suckless-tools"
+
+.SH NAME
+slock \- simple screen locker
+
+.SH SYNOPSIS
+.B slock
+.RB [ \-v ]
+
+.SH DESCRIPTION
+.B slock
+is a simple screen locker utility for X.
+The screen will be kept in an inert state until
+the user types his password. In doing so there
+is no visual indication that anything is going on,
+except possibly a slight glow from the background.
+
+.SH OPTIONS
+.B slock
+prints its version when fed with \fB\-v\fR.
+
+.SH ENVIRONMENT
+.B slock
+uses DISPLAY to determine which display to act on.
+
+.SH SEE ALSO
+.B Homepage
+<\fIhttp://www.suckless.org/\fR>
+
+.SH AUTHOR
+slock was written by Anselm R. Garbe <\[email protected]\fR>.
+.PP
+This manual page was written by Daniel Baumann <\[email protected]\fR>,
+for the Debian project (but may be used by others).
diff -urN suckless-tools-40/debian/manpages/slock.pam.1 suckless-tools-40.tmp/debian/manpages/slock.pam.1
--- suckless-tools-40/debian/manpages/slock.pam.1	1969-12-31 19:00:00.000000000 -0500
+++ suckless-tools-40.tmp/debian/manpages/slock.pam.1	2014-02-20 09:56:20.042922296 -0500
@@ -0,0 +1,34 @@
+.TH SLOCK 1 "2008-08-03" "0.9" "suckless-tools"
+
+.SH NAME
+slock \- simple screen locker
+
+.SH SYNOPSIS
+.B slock
+.RB [ \-v ]
+
+.SH DESCRIPTION
+.B slock
+is a simple screen locker utility for X.
+The screen will be kept in an inert state until
+the user types his password. In doing so there
+is no visual indication that anything is going on,
+except possibly a slight glow from the background.
+
+.SH OPTIONS
+.B slock
+prints its version when fed with \fB\-v\fR.
+
+.SH ENVIRONMENT
+.B slock
+uses DISPLAY to determine which display to act on.
+
+.SH SEE ALSO
+.B Homepage
+<\fIhttp://www.suckless.org/\fR>
+
+.SH AUTHOR
+slock was written by Anselm R. Garbe <\[email protected]\fR>.
+.PP
+This manual page was written by Daniel Baumann <\[email protected]\fR>,
+for the Debian project (but may be used by others).

Bug#739629: slock: Should use PAM for authentication

Reply via email to