Implement PAM support (and retab! the file)

2009-05-10 12:22:41 +02:00 · 2009-05-10 12:22:41 +02:00 · 715e46b45e
parent ded5d6eed4
commit 715e46b45e
2 changed files with 160 additions and 146 deletions
--- a/config.mk
+++ b/config.mk
@ -13,7 +13,7 @@ MANDIR = $(DESTDIR)$(PREFIX)/share/man

 # includes and libs
 INCS = -I. -I/usr/include -I${X11INC}
-LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11
+LIBS = -L/usr/lib -L${X11LIB} -lX11 -lpam

 # flags
 CPPFLAGS = -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H
--- a/i3lock.c
+++ b/i3lock.c
@ -1,11 +1,22 @@
-/* See LICENSE file for license details. */
+/*
+ * vim:ts=8:expandtab
+ *
+ * i3lock - an improved version of slock
+ *
+ * i3lock © 2009 Michael Stapelberg and contributors
+ * slock  © 2006-2008 Anselm R Garbe
+ *
+ * See file LICENSE for license information.
+ *
+ * Note that on any error (calloc is out of memory for example)
+ * we do not do anything so that the user can fix the error by
+ * himself (kill X to get more free memory or stop some other
+ * program using SSH/console).
+ *
+ */
 #define _XOPEN_SOURCE 500
-#if HAVE_SHADOW_H
-#include <shadow.h>
-#endif

 #include <ctype.h>
-#include <pwd.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <stdio.h>
@ -15,14 +26,13 @@
 #include <X11/keysym.h>
 #include <X11/Xlib.h>
 #include <X11/Xutil.h>
+#include <stdbool.h>

-#if HAVE_BSD_AUTH
-#include <login_cap.h>
-#include <bsd_auth.h>
-#endif
+#include <security/pam_appl.h>

-static void
-die(const char *errstr, ...) {
+static char passwd[256];
+
+static void die(const char *errstr, ...) {
        va_list ap;

        va_start(ap, errstr);
@ -31,45 +41,44 @@ die(const char *errstr, ...) {
        exit(EXIT_FAILURE);
 }

-#ifndef HAVE_BSD_AUTH
-static const char *
-get_password() { /* only run as root */
-	const char *rval;
-	struct passwd *pw;
+/*
+ * Callback function for PAM. We only react on password request callbacks.
+ *
+ */
+static int conv_callback(int num_msg, const struct pam_message **msg,
+                         struct pam_response **resp, void *appdata_ptr) {
+        if (num_msg == 0)
+                return 1;

-	if(geteuid() != 0)
-		die("slock: cannot retrieve password entry (make sure to suid slock)\n");
-	pw = getpwuid(getuid());
-	endpwent();
-	rval =  pw->pw_passwd;
-
-#if HAVE_SHADOW_H
-	{
-		struct spwd *sp;
-		sp = getspnam(getenv("USER"));
-		endspent();
-		rval = sp->sp_pwdp;
+        /* PAM expects an arry of responses, one for each message */
+        if ((*resp = calloc(num_msg, sizeof(struct pam_message))) == NULL) {
+                perror("calloc");
+                return 1;
        }
-#endif

-	/* drop privileges */
-	if(setgid(pw->pw_gid) < 0 || setuid(pw->pw_uid) < 0)
-		die("slock: cannot drop privileges\n");
-	return rval;
+        for (int c = 0; c < num_msg; c++) {
+                if (msg[c]->msg_style != PAM_PROMPT_ECHO_OFF &&
+                    msg[c]->msg_style != PAM_PROMPT_ECHO_ON)
+                        continue;
+
+                /* return code is currently not used but should be set to zero */
+                resp[c]->resp_retcode = 0;
+                if ((resp[c]->resp = strdup(passwd)) == NULL) {
+                        perror("strdup");
+                        return 1;
+                }
+        }
+
+        return 0;
 }
-#endif

-int
-main(int argc, char **argv) {
+int main(int argc, char *argv[]) {
        char curs[] = {0, 0, 0, 0, 0, 0, 0, 0};
-	char buf[32], passwd[256];
+        char buf[32];
        int num, screen;

-#ifndef HAVE_BSD_AUTH
-	const char *pws;
-#endif
        unsigned int len;
-	Bool running = True;
+        bool running = true;
        Cursor invisible;
        Display *dpy;
        KeySym ksym;
@ -79,15 +88,22 @@ main(int argc, char **argv) {
        XEvent ev;
        XSetWindowAttributes wa;

+        /* TODO: use getopt */
        if((argc == 2) && !strcmp("-v", argv[1]))
                die("i3lock-"VERSION", © 2009 Michael Stapelberg\n"
                    "based on slock, which is © 2006-2008 Anselm R Garbe\n");
        else if(argc != 1)
-		die("usage: slock [-v]\n");
+                die("usage: i3lock [-v]\n");

-#ifndef HAVE_BSD_AUTH
-	pws = get_password();
-#endif
+        pam_handle_t *handle;
+
+        struct pam_conv conv;
+        conv.conv = conv_callback;
+
+        int ret = pam_start("i3lock", getenv("USER"), &conv, &handle);
+        printf("pam_start = %d\n", ret);
+        if (ret != PAM_SUCCESS)
+                die("error = %s\n", pam_strerror(handle, ret));

        if(!(dpy = XOpenDisplay(0)))
                die("slock: cannot open display\n");
@ -144,19 +160,17 @@ main(int argc, char **argv) {
                        switch(ksym) {
                        case XK_Return:
                                passwd[len] = 0;
-#ifdef HAVE_BSD_AUTH
-				running = !auth_userokay(getlogin(), NULL, "auth-xlock", passwd);
-#else
-				running = strcmp(crypt(passwd, pws), pws);
-#endif
+                                if ((ret = pam_authenticate(handle, 0)) == PAM_SUCCESS)
+                                        running = false;
+                                else fprintf(stderr, "PAM: %s\n", pam_strerror(handle, ret));
                                len = 0;
                                break;
                        case XK_Escape:
                                len = 0;
                                break;
                        case XK_BackSpace:
-				if(len)
-					--len;
+                                if (len > 0)
+                                        len--;
                                break;
                        default:
                                if(num && !iscntrl((int) buf[0]) && (len + num < sizeof passwd)) {