diff options
-rw-r--r-- | config.def.h | 4 | ||||
-rw-r--r-- | config.mk | 2 | ||||
-rw-r--r-- | slock.c | 30 |
3 files changed, 30 insertions, 6 deletions
diff --git a/config.def.h b/config.def.h index eae2d9a..6fba2b6 100644 --- a/config.def.h +++ b/config.def.h | |||
@@ -1,3 +1,7 @@ | |||
1 | /* user and group to drop privileges to */ | ||
2 | static const char *user = "nobody"; | ||
3 | static const char *group = "nogroup"; | ||
4 | |||
1 | static const char *colorname[NUMCOLS] = { | 5 | static const char *colorname[NUMCOLS] = { |
2 | "black", /* after initialization */ | 6 | "black", /* after initialization */ |
3 | "#005577", /* during input */ | 7 | "#005577", /* during input */ |
@@ -15,7 +15,7 @@ INCS = -I. -I/usr/include -I${X11INC} | |||
15 | LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr | 15 | LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr |
16 | 16 | ||
17 | # flags | 17 | # flags |
18 | CPPFLAGS = -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H | 18 | CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H |
19 | CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS} | 19 | CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS} |
20 | LDFLAGS = -s ${LIBS} | 20 | LDFLAGS = -s ${LIBS} |
21 | COMPATSRC = explicit_bzero.c | 21 | COMPATSRC = explicit_bzero.c |
@@ -6,6 +6,7 @@ | |||
6 | 6 | ||
7 | #include <ctype.h> | 7 | #include <ctype.h> |
8 | #include <errno.h> | 8 | #include <errno.h> |
9 | #include <grp.h> | ||
9 | #include <pwd.h> | 10 | #include <pwd.h> |
10 | #include <stdarg.h> | 11 | #include <stdarg.h> |
11 | #include <stdlib.h> | 12 | #include <stdlib.h> |
@@ -83,7 +84,6 @@ dontkillme(void) | |||
83 | } | 84 | } |
84 | #endif | 85 | #endif |
85 | 86 | ||
86 | /* only run as root */ | ||
87 | static const char * | 87 | static const char * |
88 | getpw(void) | 88 | getpw(void) |
89 | { | 89 | { |
@@ -119,10 +119,6 @@ getpw(void) | |||
119 | } | 119 | } |
120 | #endif /* HAVE_SHADOW_H */ | 120 | #endif /* HAVE_SHADOW_H */ |
121 | 121 | ||
122 | /* drop privileges */ | ||
123 | if (geteuid() == 0 && | ||
124 | ((getegid() != pw->pw_gid && setgid(pw->pw_gid) < 0) || setuid(pw->pw_uid) < 0)) | ||
125 | die("slock: cannot drop privileges\n"); | ||
126 | return rval; | 122 | return rval; |
127 | } | 123 | } |
128 | 124 | ||
@@ -316,6 +312,10 @@ usage(void) | |||
316 | 312 | ||
317 | int | 313 | int |
318 | main(int argc, char **argv) { | 314 | main(int argc, char **argv) { |
315 | struct passwd *pwd; | ||
316 | struct group *grp; | ||
317 | uid_t duid; | ||
318 | gid_t dgid; | ||
319 | const char *pws; | 319 | const char *pws; |
320 | Display *dpy; | 320 | Display *dpy; |
321 | int s, nlocks; | 321 | int s, nlocks; |
@@ -328,6 +328,18 @@ main(int argc, char **argv) { | |||
328 | usage(); | 328 | usage(); |
329 | } ARGEND | 329 | } ARGEND |
330 | 330 | ||
331 | /* validate drop-user and -group */ | ||
332 | errno = 0; | ||
333 | if (!(pwd = getpwnam(user))) | ||
334 | die("slock: getpwnam %s: %s\n", user, errno ? | ||
335 | strerror(errno) : "user entry not found"); | ||
336 | duid = pwd->pw_uid; | ||
337 | errno = 0; | ||
338 | if (!(grp = getgrnam(group))) | ||
339 | die("slock: getgrnam %s: %s\n", group, errno ? | ||
340 | strerror(errno) : "group entry not found"); | ||
341 | dgid = grp->gr_gid; | ||
342 | |||
331 | #ifdef __linux__ | 343 | #ifdef __linux__ |
332 | dontkillme(); | 344 | dontkillme(); |
333 | #endif | 345 | #endif |
@@ -339,6 +351,14 @@ main(int argc, char **argv) { | |||
339 | if (!(dpy = XOpenDisplay(NULL))) | 351 | if (!(dpy = XOpenDisplay(NULL))) |
340 | die("slock: cannot open display\n"); | 352 | die("slock: cannot open display\n"); |
341 | 353 | ||
354 | /* drop privileges */ | ||
355 | if (setgroups(0, NULL) < 0) | ||
356 | die("slock: setgroups: %s\n", strerror(errno)); | ||
357 | if (setgid(dgid) < 0) | ||
358 | die("slock: setgid: %s\n", strerror(errno)); | ||
359 | if (setuid(duid) < 0) | ||
360 | die("slock: setuid: %s\n", strerror(errno)); | ||
361 | |||
342 | /* check for Xrandr support */ | 362 | /* check for Xrandr support */ |
343 | rr = XRRQueryExtension(dpy, &rrevbase, &rrerrbase); | 363 | rr = XRRQueryExtension(dpy, &rrevbase, &rrerrbase); |
344 | 364 | ||