Implement OpenBSD authentication using bsd_auth(3).

OpenBSD does not have nor use pam(8) for password authentication but instead uses bsd_auth(3): add a bsd_auth authentication scheme to make locking possible. This has been a part of gnome-screensaver already but was probably removed at one point. This is mostly identical to that code, with some minor modifications.
author: Robert Nagy <[email protected]> 2017-03-28 20:31:42 +0200
committer: monsta <[email protected]> 2017-04-18 21:30:24 +0300
commit: 5f70d320a0d3d1fef0bc6b7b77ef2a7c2923b990 (patch)
tree: a72e9ff665cdaf39ea183c08965663a9cf5aa1c7 /src
parent: f2567e0fe617c8cfd88bd6fd9dfe2505f497654f (diff)
download: mate-screensaver-5f70d320a0d3d1fef0bc6b7b77ef2a7c2923b990.tar.bz2
mate-screensaver-5f70d320a0d3d1fef0bc6b7b77ef2a7c2923b990.tar.xz
4 files changed, 123 insertions, 7 deletions
diff --git a/src/Makefile.am b/src/Makefile.am
index 298382d..9b32abf 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -256,9 +256,13 @@ install-exec-hook:
 @if [ "x@NEED_SETUID@" = "xyes" ]; then \
 echo "***" ; \
 echo "*** Warning: mate-screensaver has been compiled with support for" ; \
- echo "*** shadow passwords. If your system actually uses shadow" ; \
- echo "*** passwords then it must be installed as a setuid root" ; \
- echo "*** program in order for locking to work. To do this, you" ; \
+ if [ "x@AUTH_SCHEME@" = "xbsdauth" ]; then \
+ echo "*** bsd_auth(3) and must be installed as a setuid root" ; \
+ else \
+ echo "*** shadow passwords. If your system actually uses shadow" ; \
+ echo "*** passwords then it must be installed as a setuid root" ; \
+ fi; \
+ echo "*** program in order for locking to work. To do this, you" ; \
 echo "*** must run:" ; \
 echo "***" ; \
 echo "*** chown root $(DESTDIR)$(libexecdir)/mate-screensaver-dialog" ; \
diff --git a/src/gs-auth-bsdauth.c b/src/gs-auth-bsdauth.c
new file mode 100644
index 0000000..3463974
--- /dev/null
+++ b/src/gs-auth-bsdauth.c
@@ -0,0 +1,103 @@
+/*
+ * gs-auth-bsdauth.c --- verifying typed passwords with bsd_auth(3)
+ *
+ * Copyright (c) 1993-1998 Jamie Zawinski <[email protected]>
+ * Copyright (C) 2006 William Jon McCann <[email protected]>
+ * Copyright (c) 2009 Antoine Jacoutot <[email protected]>
+ * Copyright (c) 2017 Robert Nagy <[email protected]>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <pwd.h>
+#include <sys/types.h>
+
+#include <login_cap.h>
+#include <bsd_auth.h>
+
+#include "gs-auth.h"
+#include "subprocs.h"
+
+static gboolean verbose_enabled = FALSE;
+
+GQuark
+gs_auth_error_quark (void)
+{
+ static GQuark quark = 0;
+ if (! quark) {
+ quark = g_quark_from_static_string ("gs_auth_error");
+ }
+
+ return quark;
+}
+
+void
+gs_auth_set_verbose (gboolean enabled)
+{
+ verbose_enabled = enabled;
+}
+
+gboolean
+gs_auth_get_verbose (void)
+{
+ return verbose_enabled;
+}
+
+gboolean
+gs_auth_verify_user (const char *username,
+ const char *display,
+ GSAuthMessageFunc func,
+ gpointer data,
+ GError **error)
+{
+ int res;
+ char *password;
+
+ /* ask for the password for user */
+ if (func != NULL) {
+ func (GS_AUTH_MESSAGE_PROMPT_ECHO_OFF,
+ "Password: ",
+ &password,
+ data);
+ }
+
+ if (password == NULL) {
+ return FALSE;
+ }
+
+ /* authenticate */
+ res = auth_userokay((char *)username, NULL, "auth-mate-screensaver", password);
+
+ return res;
+}
+
+gboolean
+gs_auth_init (void)
+{
+ return TRUE;
+}
+
+gboolean
+gs_auth_priv_init (void)
+{
+ return TRUE;
+}
diff --git a/src/gs-auth-pwent.c b/src/gs-auth-pwent.c
index 0b253c6..a0c1d80 100644
--- a/src/gs-auth-pwent.c
+++ b/src/gs-auth-pwent.c
@@ -171,10 +171,10 @@ get_encrypted_passwd (const char *user)
 }
 }
 
-#ifndef HAVE_PAM
- /* We only issue this warning if not compiled with support for PAM.
- If we're using PAM, it's not unheard of that normal pwent passwords
- would be unavailable. */
+#if !defined(HAVE_PAM) && !defined(HAVE_BSDAUTH)
+ /* We only issue this warning if not compiled with support for PAM,
+ or bsd_auth(3). If we're using PAM, it's not unheard of that
+ normal pwent passwords would be unavailable. */
 
 if (!result)
 {
diff --git a/src/setuid.c b/src/setuid.c
index 80e4659..0a065d9 100644
--- a/src/setuid.c
+++ b/src/setuid.c
@@ -209,6 +209,15 @@ hack_uid (char **nolock_reason,
 
 if (uid != euid || gid != egid)
 {
+#ifdef HAVE_BSDAUTH /* we need to setgid auth to run the bsd_auth(3) login_* helpers */
+ struct group *authg = getgrnam("auth");
+ if (!authg || !authg->gr_name || !*authg->gr_name) {
+ reason = g_strdup ("no such group as \"auth\" for bsdauth.");
+ ret = FALSE;
+ goto out;
+ }
+ gid = authg->gr_gid;
+#endif /* !HAVE_BSDAUTH */
 if (! set_ids_by_number (uid, gid, uid_message))
 {
 reason = g_strdup ("unable to discard privileges.");
author	Robert Nagy <[email protected]>	2017-03-28 20:31:42 +0200
committer	monsta <[email protected]>	2017-04-18 21:30:24 +0300
commit	5f70d320a0d3d1fef0bc6b7b77ef2a7c2923b990 (patch)
tree	a72e9ff665cdaf39ea183c08965663a9cf5aa1c7 /src
parent	f2567e0fe617c8cfd88bd6fd9dfe2505f497654f (diff)
download	mate-screensaver-5f70d320a0d3d1fef0bc6b7b77ef2a7c2923b990.tar.bz2 mate-screensaver-5f70d320a0d3d1fef0bc6b7b77ef2a7c2923b990.tar.xz