On Thu, May 21, 2020 at 11:58:37AM +0100, Stuart Henderson wrote:
> I've written a patch to add bsd-auth support back to slock 1.4 which
> I've been using for a while. Tidied the make variable handling a bit
> as well, no need to patch to use ?=, they can just be overridden with
> MAKE_FLAGS. OK?
I would prefer if this used the libc version of explicit_bzero instead
of the local copy. For this, set COMPATSRC to empty in compat.mk (why do
you add a COPTSFLAG=-Os via a patch?).
While the updated slock seems to work fine from the command line, it
doesn't lock at all if I use it from a i3 binding. I have been using
bindsym $mod+Mod1+l exec "slock"
in my ~/.i3/config for many years without issue, but this breaks with
this update. In my xsession-errors I see:
slock: unable to grab mouse pointer for screen 0
slock: unable to grab keyboard for screen 0
I haven't looked more closely into why this happens, but I would
appreciate a workaround for this so I can keep a binding for the lock.
Out of curiosity: what prompted this update?
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/x11/slock/Makefile,v
> retrieving revision 1.17
> diff -u -p -r1.17 Makefile
> --- Makefile 12 Jul 2019 20:51:21 -0000 1.17
> +++ Makefile 21 May 2020 10:58:17 -0000
> @@ -2,9 +2,7 @@
>
> COMMENT= simple X screen locker
>
> -# slock-1.4 drops bsd-auth support; CVE-2016-6866 doesn't affect
> HAVE_BSD_AUTH
> -DISTNAME= slock-1.3
> -REVISION= 1
> +DISTNAME= slock-1.4
>
> CATEGORIES= x11
>
> @@ -19,9 +17,11 @@ WANTLIB= X11 c Xext Xrandr
>
> MASTER_SITES= http://dl.suckless.org/tools/
>
> -MAKE_ENV= CC="${CC}" \
> - LDFLAGS="${LDFLAGS}"
> -FAKE_FLAGS= DESTDIR=""
> +MAKE_FLAGS= CC="${CC}" \
> + COPTFLAGS="${CFLAGS}" \
> + MANPREFIX=${PREFIX}/man \
> + X11INC=${X11BASE}/include \
> + X11LIB=${X11BASE}/lib
>
> NO_TEST= Yes
>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/x11/slock/distinfo,v
> retrieving revision 1.10
> diff -u -p -r1.10 distinfo
> --- distinfo 5 Mar 2016 19:17:01 -0000 1.10
> +++ distinfo 21 May 2020 10:58:17 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (slock-1.3.tar.gz) = urSjrqQEaqD9A2HDZJt5uQylMbxd+uPEpsD+Q2FSvRg=
> -SIZE (slock-1.3.tar.gz) = 5943
> +SHA256 (slock-1.4.tar.gz) = tThJ28YBCamH16SbjaGXMFwpMH/XTBLcGK8NMEQ5Lmo=
> +SIZE (slock-1.4.tar.gz) = 6889
> Index: patches/patch-Makefile
> ===================================================================
> RCS file: /cvs/ports/x11/slock/patches/patch-Makefile,v
> retrieving revision 1.5
> diff -u -p -r1.5 patch-Makefile
> --- patches/patch-Makefile 5 Mar 2016 19:17:01 -0000 1.5
> +++ patches/patch-Makefile 21 May 2020 10:58:17 -0000
> @@ -1,6 +1,8 @@
> -$OpenBSD: patch-Makefile,v 1.5 2016/03/05 19:17:01 jung Exp $
> ---- Makefile.orig Fri Feb 12 20:29:02 2016
> -+++ Makefile Fri Feb 26 21:06:04 2016
> +$OpenBSD$
> +
> +Index: Makefile
> +--- Makefile.orig
> ++++ Makefile
> @@ -15,8 +15,7 @@ options:
> @echo "CC = ${CC}"
>
> @@ -9,7 +11,7 @@ $OpenBSD: patch-Makefile,v 1.5 2016/03/0
> - @${CC} -c ${CFLAGS} $<
> + ${CC} -c ${CFLAGS} $<
>
> - ${OBJ}: config.h config.mk
> + ${OBJ}: config.h config.mk arg.h util.h
>
> @@ -25,8 +24,7 @@ config.h:
> @cp config.def.h $@
> Index: patches/patch-config_def_h
> ===================================================================
> RCS file: patches/patch-config_def_h
> diff -N patches/patch-config_def_h
> --- patches/patch-config_def_h 5 Mar 2016 19:17:01 -0000 1.2
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,11 +0,0 @@
> -$OpenBSD: patch-config_def_h,v 1.2 2016/03/05 19:17:01 jung Exp $
> ---- config.def.h.orig Fri Feb 12 20:29:02 2016
> -+++ config.def.h Fri Feb 26 20:57:47 2016
> -@@ -1,6 +1,6 @@
> - static const char *colorname[NUMCOLS] = {
> - "black", /* after initialization */
> -- "#005577", /* during input */
> -+ "#404040", /* during input */
> - "#CC3333", /* failed/cleared the input */
> - };
> - static const Bool failonclear = True;
> Index: patches/patch-config_mk
> ===================================================================
> RCS file: /cvs/ports/x11/slock/patches/patch-config_mk,v
> retrieving revision 1.9
> diff -u -p -r1.9 patch-config_mk
> --- patches/patch-config_mk 13 Aug 2016 14:00:00 -0000 1.9
> +++ patches/patch-config_mk 21 May 2020 10:58:17 -0000
> @@ -1,44 +1,23 @@
> -$OpenBSD: patch-config_mk,v 1.9 2016/08/13 14:00:00 tb Exp $
> ---- config.mk.orig Fri Feb 12 20:29:02 2016
> -+++ config.mk Sat Aug 13 15:38:13 2016
> -@@ -4,28 +4,28 @@ VERSION = 1.3
> - # Customize below to fit your system
> -
> - # paths
> --PREFIX = /usr/local
> --MANPREFIX = ${PREFIX}/share/man
> -+PREFIX ?= /usr/local
> -+MANPREFIX = ${PREFIX}/man
> -
> --X11INC = /usr/X11R6/include
> --X11LIB = /usr/X11R6/lib
> -+X11INC = ${X11BASE}/include
> -+X11LIB = ${X11BASE}/lib
> +$OpenBSD$
> +
> +Index: config.mk
> +--- config.mk.orig
> ++++ config.mk
> +@@ -12,12 +12,13 @@ X11LIB = /usr/X11R6/lib
>
> # includes and libs
> --INCS = -I. -I/usr/include -I${X11INC}
> + INCS = -I. -I/usr/include -I${X11INC}
> -LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr
> -+INCS = -I${X11INC}
> -+LIBS = -L${X11LIB} -lX11 -lXext -lXrandr
> ++LIBS = -L/usr/lib -L${X11LIB} -lX11 -lXext -lXrandr
>
> # flags
> --CPPFLAGS = -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H
> +-CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H
> -CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS}
> -LDFLAGS = -s ${LIBS}
> -+CPPFLAGS += -DVERSION=\"${VERSION}\" -DHAVE_BSD_AUTH -D_BSD_SOURCE
> -+CFLAGS += -std=c99 -pedantic -Wall ${INCS} ${CPPFLAGS}
> -+LDFLAGS += ${LIBS}
> ++COPTFLAGS = -Os
> ++CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_BSD_AUTH
> -D_BSD_SOURCE
> ++CFLAGS = -std=c99 -pedantic -Wall ${INCS} ${CPPFLAGS} ${COPTFLAGS}
> ++LDFLAGS = ${LIBS}
> + COMPATSRC = explicit_bzero.c
>
> - # On *BSD remove -DHAVE_SHADOW_H from CPPFLAGS and add -DHAVE_BSD_AUTH
> # On OpenBSD and Darwin remove -lcrypt from LIBS
> -
> - # compiler and linker
> --CC = cc
> -+CC ?= cc
> -
> - # Install mode. On BSD systems MODE=2755 and GROUP=auth
> - # On others MODE=4755 and GROUP=root
> --#MODE=2755
> --#GROUP=auth
> -+MODE=2755
> -+GROUP=auth
> Index: patches/patch-slock_c
> ===================================================================
> RCS file: /cvs/ports/x11/slock/patches/patch-slock_c,v
> retrieving revision 1.3
> diff -u -p -r1.3 patch-slock_c
> --- patches/patch-slock_c 13 Aug 2016 14:00:00 -0000 1.3
> +++ patches/patch-slock_c 21 May 2020 10:58:17 -0000
> @@ -1,33 +1,119 @@
> -$OpenBSD: patch-slock_c,v 1.3 2016/08/13 14:00:00 tb Exp $
> ---- slock.c.orig Fri Feb 12 20:29:02 2016
> -+++ slock.c Sat Aug 13 15:37:49 2016
> -@@ -47,7 +47,7 @@ static Bool rr;
> - static int rrevbase;
> - static int rrerrbase;
> -
> --static void
> -+static void __attribute__((__noreturn__, __format__(printf, 1, 2)))
> - die(const char *errstr, ...)
> +$OpenBSD$
> +
> +Add back bsd-auth support, removed in 04143fd68dbc
> +
> +Index: slock.c
> +--- slock.c.orig
> ++++ slock.c
> +@@ -19,6 +19,11 @@
> + #include <X11/Xlib.h>
> + #include <X11/Xutil.h>
> +
> ++#if HAVE_BSD_AUTH
> ++#include <login_cap.h>
> ++#include <bsd_auth.h>
> ++#endif
> ++
> + #include "arg.h"
> + #include "util.h"
> +
> +@@ -83,6 +88,7 @@ dontkillme(void)
> + }
> + #endif
> +
> ++#ifndef HAVE_BSD_AUTH
> + static const char *
> + gethash(void)
> {
> - va_list ap;
> -@@ -172,10 +172,12 @@ readpw(Display *dpy, const char *pws)
> - break;
> - case XK_Escape:
> - len = 0;
> -+ explicit_bzero(passwd, sizeof(passwd));
> - break;
> - case XK_BackSpace:
> - if (len)
> - --len;
> -+ explicit_bzero(passwd + len, 1);
> - break;
> - default:
> - if (num && !iscntrl((int)buf[0]) && (len + num
> < sizeof(passwd))) {
> -@@ -185,6 +187,7 @@ readpw(Display *dpy, const char *pws)
> - break;
> - }
> - color = len ? INPUT : (failure || failonclear ? FAILED
> : INIT);
> -+ explicit_bzero(buf, sizeof(buf));
> - if (running && oldc != color) {
> - for (screen = 0; screen < nscreens; screen++) {
> - XSetWindowBackground(dpy,
> locks[screen]->win, locks[screen]->colors[color]);
> +@@ -123,13 +129,21 @@ gethash(void)
> +
> + return hash;
> + }
> ++#endif /* HAVE_BSD_AUTH */
> +
> + static void
> ++#ifdef HAVE_BSD_AUTH
> ++readpw(Display *dpy, struct xrandr *rr, struct lock **locks, int nscreens)
> ++#else
> + readpw(Display *dpy, struct xrandr *rr, struct lock **locks, int nscreens,
> + const char *hash)
> ++#endif
> + {
> + XRRScreenChangeNotifyEvent *rre;
> +- char buf[32], passwd[256], *inputhash;
> ++ char buf[32], passwd[256];
> ++#ifndef HAVE_BSD_AUTH
> ++ char *inputhash;
> ++#endif
> + int num, screen, running, failure, oldc;
> + unsigned int len, color;
> + KeySym ksym;
> +@@ -160,10 +174,14 @@ readpw(Display *dpy, struct xrandr *rr, struct lock **
> + case XK_Return:
> + passwd[len] = '\0';
> + errno = 0;
> ++#ifdef HAVE_BSD_AUTH
> ++ running = !auth_userokay(getlogin(), NULL,
> "auth-slock", passwd);
> ++#else
> + if (!(inputhash = crypt(passwd, hash)))
> + fprintf(stderr, "slock: crypt: %s\n",
> strerror(errno));
> + else
> + running = !!strcmp(inputhash, hash);
> ++#endif
> + if (running) {
> + XBell(dpy, 100);
> + failure = 1;
> +@@ -303,7 +321,9 @@ main(int argc, char **argv) {
> + struct group *grp;
> + uid_t duid;
> + gid_t dgid;
> ++#ifndef HAVE_BSD_AUTH
> + const char *hash;
> ++#endif
> + Display *dpy;
> + int s, nlocks, nscreens;
> +
> +@@ -331,14 +351,23 @@ main(int argc, char **argv) {
> + dontkillme();
> + #endif
> +
> ++#ifndef HAVE_BSD_AUTH
> + hash = gethash();
> + errno = 0;
> + if (!crypt("", hash))
> + die("slock: crypt: %s\n", strerror(errno));
> ++#endif
> +
> + if (!(dpy = XOpenDisplay(NULL)))
> + die("slock: cannot open display\n");
> +
> ++/*
> ++ * don't drop groups for bsd-auth, slock runs as the user's normal
> ++ * uid, and requires gid auth from the setgid bit. (without bsd-auth
> ++ * slock needs to start with uid root or gid _shadow to read spwd.db,
> ++ * and is unable to use non-password methods)
> ++ */
> ++#ifndef HAVE_BSD_AUTH
> + /* drop privileges */
> + if (setgroups(0, NULL) < 0)
> + die("slock: setgroups: %s\n", strerror(errno));
> +@@ -346,6 +375,7 @@ main(int argc, char **argv) {
> + die("slock: setgid: %s\n", strerror(errno));
> + if (setuid(duid) < 0)
> + die("slock: setuid: %s\n", strerror(errno));
> ++#endif
> +
> + /* check for Xrandr support */
> + rr.active = XRRQueryExtension(dpy, &rr.evbase, &rr.errbase);
> +@@ -381,7 +411,11 @@ main(int argc, char **argv) {
> + }
> +
> + /* everything is now blank. Wait for the correct password */
> ++#ifdef HAVE_BSD_AUTH
> ++ readpw(dpy, &rr, locks, nscreens);
> ++#else
> + readpw(dpy, &rr, locks, nscreens, hash);
> ++#endif
> +
> + return 0;
> + }
>
