Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:12.2:PowerPC
gnome-screensaver
gnome-screensaver-helper.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gnome-screensaver-helper.patch of Package gnome-screensaver
reverted: Index: gnome-screensaver-3.2.1/configure.ac =================================================================== --- gnome-screensaver-3.2.1.orig/configure.ac +++ gnome-screensaver-3.2.1/configure.ac @@ -448,6 +448,55 @@ if test "$ac_macosx" = yes; then fi dnl --------------------------------------------------------------------------- +dnl Authentication scheme +dnl --------------------------------------------------------------------------- + +AC_ARG_ENABLE(authentication-scheme, + AS_HELP_STRING([--enable-authentication-scheme=@<:@auto/pam/helper@:>@], + [Choose a specific authentication scheme @<:@default=auto@:>@]), + , [enable_authentication_scheme=auto]) + +AUTH_SCHEME=$enable_authentication_scheme + +dnl --------------------------------------------------------------------------- +dnl - Check for external password helper (SUSE) +dnl --------------------------------------------------------------------------- +# On SuSE, instead of having xscreensaver be a setuid program, they +# fork an external program that takes the password on stdin, and +# returns true if that password is a valid one. Then only that +# smaller program needs to be setuid. +# +# (Note that this external program is not a GUI: the GUI is still +# all in xscreensaver itself; the external program just does auth.) + +AC_ARG_WITH(passwd-helper, + AS_HELP_STRING([--with-passwd-helper], + [Include support for an external password verification helper program.]), + [with_passwd_helper="$withval"], + [with_passwd_helper=no]) + +have_passwd_helper=no + +if test "x$AUTH_SCHEME" = "xhelper" -o "x$AUTH_SCHEME" = "xauto"; then + if test "$enable_locking" = no ; then + with_passwd_helper=no + fi + + case "$with_passwd_helper" in + ""|no) + if test "x$AUTH_SCHEME" = "xhelper"; then + AC_MSG_ERROR([Password helper support requested --with-passwd-helper not used]) + fi;; + /*) + AC_DEFINE_UNQUOTED(PASSWD_HELPER_PROGRAM, "$with_passwd_helper", [Full pathname of password helper application]) + have_passwd_helper=yes + AUTH_SCHEME=helper;; + *) + AC_MSG_ERROR(["--with-passwd-helper needs full pathname of helper, not '$with_passwd_helper'"]);; + esac +fi + +dnl --------------------------------------------------------------------------- dnl - Check for bsd_auth(3) (OpenBSD) dnl --------------------------------------------------------------------------- @@ -455,28 +504,30 @@ have_bsdauth=no with_bsdauth_req=unspecified NEED_SETUID=no -case "$host" in - *-openbsd*) - with_bsdauth=yes - AUTH_SCHEME=bsdauth - NEED_SETUID=no - if test "x$enable_locking" = "xyes"; then - with_bsdauth_req=yes - NEED_SETUID=yes +if test "x$AUTH_SCHEME" = "xbsdauth" -o "x$AUTH_SCHEME" = "xauto"; then + case "$host" in + *-openbsd*) + with_bsdauth=yes + AUTH_SCHEME=bsdauth + NEED_SETUID=no + if test "x$enable_locking" = "xyes"; then + with_bsdauth_req=yes + NEED_SETUID=yes + fi + esac + + if test "$with_bsdauth" = yes ; then + AC_CACHE_CHECK([for BSD Authentication], ac_cv_bsdauth, + [AC_TRY_X_COMPILE([#include <stdlib.h> + #include <unistd.h> + #include <sys/types.h> + #include <bsd_auth.h>], + [int ok = auth_userokay("x", 0, "x", "x");], + [ac_cv_bsdauth=yes], + [ac_cv_bsdauth=no])]) + if test "$ac_cv_bsdauth" = yes; then + have_bsdauth=yes fi -esac - -if test "$with_bsdauth" = yes ; then - AC_CACHE_CHECK([for BSD Authentication], ac_cv_bsdauth, - [AC_TRY_X_COMPILE([#include <stdlib.h> - #include <unistd.h> - #include <sys/types.h> - #include <bsd_auth.h>], - [int ok = auth_userokay("x", 0, "x", "x");], - [ac_cv_bsdauth=yes], - [ac_cv_bsdauth=no])]) - if test "$ac_cv_bsdauth" = yes; then - have_bsdauth=yes fi fi @@ -506,7 +557,7 @@ fi AC_SUBST(PAM_PREFIX) have_pam=no -if test "x$enable_locking" = "xyes" -a "x$have_bsdauth" = "xno"; then +if test "x$enable_locking" = "xyes" -a "x$have_bsdauth" != "xyes" -a "x$have_passwd_helper" != "xyes"; then AC_CHECK_LIB(pam, pam_start, have_pam=yes) fi @@ -546,7 +597,7 @@ if test "x$have_pam" = "xyes"; then AC_MSG_RESULT(unknown) fi -elif test "x$have_bsdauth" = "xno"; then +elif test "x$have_bsdauth" != "xyes" -a "x$have_passwd_helper" != "xyes"; then AC_MSG_ERROR("PAM libraries not found") fi AC_SUBST(HAVE_PAM) @@ -776,7 +827,8 @@ echo " systemd: ${use_systemd} ConsoleKit: ${use_console_kit} -" + + Authentication scheme: ${AUTH_SCHEME}" if test "x$have_pam" = "xyes" ; then echo "\ @@ -785,3 +837,9 @@ echo "\ " fi +if test "x$have_passwd_helper" = "xyes" ; then +echo "\ + Password helper: ${with_passwd_helper} + +" +fi Index: gnome-screensaver-3.2.1/src/Makefile.am =================================================================== --- gnome-screensaver-3.2.1.orig/src/Makefile.am +++ gnome-screensaver-3.2.1/src/Makefile.am @@ -142,6 +142,12 @@ gnome_screensaver_dialog_SOURCES = \ $(AUTH_SOURCES) \ $(NULL) +EXTRA_gnome_screensaver_dialog_SOURCES = \ + gs-auth-pam.c \ + gs-auth-helper.c \ + gs-auth-bsdauth.c \ + $(NULL) + gnome_screensaver_dialog_LDADD = \ $(GNOME_SCREENSAVER_DIALOG_LIBS)\ $(SAVER_LIBS) \ Index: gnome-screensaver-3.2.1/src/gs-auth-helper.c =================================================================== --- /dev/null +++ gnome-screensaver-3.2.1/src/gs-auth-helper.c @@ -0,0 +1,198 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- + * + * written by Olaf Kirch <okir@suse.de> + * xscreensaver, Copyright (c) 1993-2004 Jamie Zawinski <jwz@jwz.org> + * + * Permission to use, copy, modify, distribute, and sell this software and its + * documentation for any purpose is hereby granted without fee, provided that + * the above copyright notice appear in all copies and that both that + * copyright notice and this permission notice appear in supporting + * documentation. No representations are made about the suitability of this + * software for any purpose. It is provided "as is" without express or + * implied warranty. + */ + +/* The idea here is to be able to run gnome-screensaver-dialog without any setuid bits. + * Password verification happens through an external program that you feed + * your password to on stdin. The external command is invoked with a user + * name argument. + * + * The external helper does whatever authentication is necessary. Currently, + * SuSE uses "unix2_chkpwd", which is a variation of "unix_chkpwd" from the + * PAM distribution. + * + * Normally, the password helper should just authenticate the calling user + * (i.e. based on the caller's real uid). This is in order to prevent + * brute-forcing passwords in a shadow environment. A less restrictive + * approach would be to allow verifying other passwords as well, but always + * with a 2 second delay or so. (Not sure what SuSE's "unix2_chkpwd" + * currently does.) + * -- Olaf Kirch <okir@suse.de>, 16-Dec-2003 + */ + +#include "config.h" + +#include <stdlib.h> +#ifdef HAVE_UNISTD_H +# include <unistd.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <sys/types.h> +#include <pwd.h> +#include <errno.h> +#include <sys/wait.h> + +#include <glib.h> +#include <glib/gstdio.h> + +#include "gs-auth.h" +#include "subprocs.h" + +static gboolean verbose_enabled = FALSE; + +GQuark +gs_auth_error_quark (void) +{ + static GQuark quark = 0; + if (! quark) { + quark = g_quark_from_static_string ("gs_auth_error"); + } + + return quark; +} + +void +gs_auth_set_verbose (gboolean enabled) +{ + verbose_enabled = enabled; +} + +gboolean +gs_auth_get_verbose (void) +{ + return verbose_enabled; +} + +static gboolean +ext_run (const char *user, + const char *typed_passwd, + gboolean verbose) +{ + int pfd[2], status; + pid_t pid; + + if (pipe (pfd) < 0) { + return 0; + } + + if (verbose) { + g_message ("ext_run (%s, %s)", + PASSWD_HELPER_PROGRAM, user); + } + + block_sigchld (); + + if ((pid = fork ()) < 0) { + close (pfd [0]); + close (pfd [1]); + return FALSE; + } + + if (pid == 0) { + close (pfd [1]); + if (pfd [0] != 0) { + dup2 (pfd [0], 0); + } + + /* Helper is invoked as helper service-name [user] */ + execlp (PASSWD_HELPER_PROGRAM, PASSWD_HELPER_PROGRAM, "gnome-screensaver", user, NULL); + if (verbose) { + g_message ("%s: %s", PASSWD_HELPER_PROGRAM, g_strerror (errno)); + } + + exit (1); + } + + close (pfd [0]); + + /* Write out password to helper process */ + if (!typed_passwd) { + typed_passwd = ""; + } + write (pfd [1], typed_passwd, strlen (typed_passwd)); + close (pfd [1]); + + while (waitpid (pid, &status, 0) < 0) { + if (errno == EINTR) { + continue; + } + + if (verbose) { + g_message ("ext_run: waitpid failed: %s\n", + g_strerror (errno)); + } + + unblock_sigchld (); + return FALSE; + } + + unblock_sigchld (); + + if (! WIFEXITED (status) || WEXITSTATUS (status) != 0) { + return FALSE; + } + + return TRUE; +} + +gboolean +gs_auth_verify_user (const char *username, + const char *display, + GSAuthMessageFunc func, + gpointer data, + GError **error) +{ + gboolean res = FALSE; + char *password; + + password = NULL; + + /* ask for the password for user */ + if (func != NULL) { + func (GS_AUTH_MESSAGE_PROMPT_ECHO_OFF, + "Password: ", + &password, + data); + } + + if (password == NULL) { + return FALSE; + } + + res = ext_run (username, password, gs_auth_get_verbose ()); + + return res; +} + +gboolean +gs_auth_init (void) +{ + return TRUE; +} + +gboolean +gs_auth_priv_init (void) +{ + /* Make sure the passwd helper exists */ + if (g_access (PASSWD_HELPER_PROGRAM, X_OK) < 0) { + g_warning ("%s does not exist. " + "password authentication via " + "external helper will not work.", + PASSWD_HELPER_PROGRAM); + return FALSE; + } + + return TRUE; +}
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
