aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config.def.h4
-rw-r--r--config.mk2
-rw-r--r--slock.c30
3 files changed, 30 insertions, 6 deletions
diff --git a/config.def.h b/config.def.h
index eae2d9a..6fba2b6 100644
--- a/config.def.h
+++ b/config.def.h
@@ -1,3 +1,7 @@
1/* user and group to drop privileges to */
2static const char *user = "nobody";
3static const char *group = "nogroup";
4
1static const char *colorname[NUMCOLS] = { 5static const char *colorname[NUMCOLS] = {
2 "black", /* after initialization */ 6 "black", /* after initialization */
3 "#005577", /* during input */ 7 "#005577", /* during input */
diff --git a/config.mk b/config.mk
index 049305c..11357a7 100644
--- a/config.mk
+++ b/config.mk
@@ -15,7 +15,7 @@ INCS = -I. -I/usr/include -I${X11INC}
15LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr 15LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr
16 16
17# flags 17# flags
18CPPFLAGS = -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H 18CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H
19CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS} 19CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS}
20LDFLAGS = -s ${LIBS} 20LDFLAGS = -s ${LIBS}
21COMPATSRC = explicit_bzero.c 21COMPATSRC = explicit_bzero.c
diff --git a/slock.c b/slock.c
index da4b099..7127ebe 100644
--- a/slock.c
+++ b/slock.c
@@ -6,6 +6,7 @@
6 6
7#include <ctype.h> 7#include <ctype.h>
8#include <errno.h> 8#include <errno.h>
9#include <grp.h>
9#include <pwd.h> 10#include <pwd.h>
10#include <stdarg.h> 11#include <stdarg.h>
11#include <stdlib.h> 12#include <stdlib.h>
@@ -83,7 +84,6 @@ dontkillme(void)
83} 84}
84#endif 85#endif
85 86
86/* only run as root */
87static const char * 87static const char *
88getpw(void) 88getpw(void)
89{ 89{
@@ -119,10 +119,6 @@ getpw(void)
119 } 119 }
120#endif /* HAVE_SHADOW_H */ 120#endif /* HAVE_SHADOW_H */
121 121
122 /* drop privileges */
123 if (geteuid() == 0 &&
124 ((getegid() != pw->pw_gid && setgid(pw->pw_gid) < 0) || setuid(pw->pw_uid) < 0))
125 die("slock: cannot drop privileges\n");
126 return rval; 122 return rval;
127} 123}
128 124
@@ -316,6 +312,10 @@ usage(void)
316 312
317int 313int
318main(int argc, char **argv) { 314main(int argc, char **argv) {
315 struct passwd *pwd;
316 struct group *grp;
317 uid_t duid;
318 gid_t dgid;
319 const char *pws; 319 const char *pws;
320 Display *dpy; 320 Display *dpy;
321 int s, nlocks; 321 int s, nlocks;
@@ -328,6 +328,18 @@ main(int argc, char **argv) {
328 usage(); 328 usage();
329 } ARGEND 329 } ARGEND
330 330
331 /* validate drop-user and -group */
332 errno = 0;
333 if (!(pwd = getpwnam(user)))
334 die("slock: getpwnam %s: %s\n", user, errno ?
335 strerror(errno) : "user entry not found");
336 duid = pwd->pw_uid;
337 errno = 0;
338 if (!(grp = getgrnam(group)))
339 die("slock: getgrnam %s: %s\n", group, errno ?
340 strerror(errno) : "group entry not found");
341 dgid = grp->gr_gid;
342
331#ifdef __linux__ 343#ifdef __linux__
332 dontkillme(); 344 dontkillme();
333#endif 345#endif
@@ -339,6 +351,14 @@ main(int argc, char **argv) {
339 if (!(dpy = XOpenDisplay(NULL))) 351 if (!(dpy = XOpenDisplay(NULL)))
340 die("slock: cannot open display\n"); 352 die("slock: cannot open display\n");
341 353
354 /* drop privileges */
355 if (setgroups(0, NULL) < 0)
356 die("slock: setgroups: %s\n", strerror(errno));
357 if (setgid(dgid) < 0)
358 die("slock: setgid: %s\n", strerror(errno));
359 if (setuid(duid) < 0)
360 die("slock: setuid: %s\n", strerror(errno));
361
342 /* check for Xrandr support */ 362 /* check for Xrandr support */
343 rr = XRRQueryExtension(dpy, &rrevbase, &rrerrbase); 363 rr = XRRQueryExtension(dpy, &rrevbase, &rrerrbase);
344 364