diff options
-rw-r--r-- | desktop/i3lock/README | 7 | ||||
-rw-r--r-- | desktop/i3lock/i3lock-2.8-no-pam.patch | 273 | ||||
-rw-r--r-- | desktop/i3lock/i3lock.SlackBuild | 100 | ||||
-rw-r--r-- | desktop/i3lock/i3lock.info | 10 | ||||
-rw-r--r-- | desktop/i3lock/slack-desc | 19 |
5 files changed, 409 insertions, 0 deletions
diff --git a/desktop/i3lock/README b/desktop/i3lock/README new file mode 100644 index 0000000000..adf8e935d1 --- /dev/null +++ b/desktop/i3lock/README @@ -0,0 +1,7 @@ +i3lock is a simple screen locker like slock. + +This SlackBuild patches i3lock to not to use PAM, and is as such usable in +Slackware. +For verifying the password it uses shadow instead. Because of that, it needs +suid permissions, but those privileges are dropped as soon as possible. +The code for this was taken from slock. See the patch and LICENSE-slock. diff --git a/desktop/i3lock/i3lock-2.8-no-pam.patch b/desktop/i3lock/i3lock-2.8-no-pam.patch new file mode 100644 index 0000000000..665744f1cb --- /dev/null +++ b/desktop/i3lock/i3lock-2.8-no-pam.patch @@ -0,0 +1,273 @@ +diff -Nur i3lock-2.8-orig/LICENSE-slock i3lock-2.8/LICENSE-slock +--- i3lock-2.8-orig/LICENSE-slock 1970-01-01 01:00:00.000000000 +0100 ++++ i3lock-2.8/LICENSE-slock 2016-08-27 11:24:24.067880341 +0200 +@@ -0,0 +1,24 @@ ++MIT/X Consortium License ++ ++© 2015-2016 Markus Teich <markus.teich@stusta.mhn.de> ++© 2014 Dimitris Papastamos <sin@2f30.org> ++© 2006-2014 Anselm R Garbe <anselm@garbe.us> ++© 2014-2016 Laslo Hunhold <dev@frign.de> ++ ++Permission is hereby granted, free of charge, to any person obtaining a ++copy of this software and associated documentation files (the "Software"), ++to deal in the Software without restriction, including without limitation ++the rights to use, copy, modify, merge, publish, distribute, sublicense, ++and/or sell copies of the Software, and to permit persons to whom the ++Software is furnished to do so, subject to the following conditions: ++ ++The above copyright notice and this permission notice shall be included in ++all copies or substantial portions of the Software. ++ ++THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++DEALINGS IN THE SOFTWARE. +diff -Nur i3lock-2.8-orig/Makefile i3lock-2.8/Makefile +--- i3lock-2.8-orig/Makefile 2016-08-27 11:24:15.313880708 +0200 ++++ i3lock-2.8/Makefile 2016-08-27 11:24:24.067880341 +0200 +@@ -14,7 +14,7 @@ + CPPFLAGS += -D_GNU_SOURCE + CFLAGS += $(shell $(PKG_CONFIG) --cflags cairo xcb-dpms xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11) + LIBS += $(shell $(PKG_CONFIG) --libs cairo xcb-dpms xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11) +-LIBS += -lpam ++LIBS += -lcrypt + LIBS += -lev + LIBS += -lm + +@@ -37,9 +37,7 @@ + + install: all + $(INSTALL) -d $(DESTDIR)$(PREFIX)/bin +- $(INSTALL) -d $(DESTDIR)$(SYSCONFDIR)/pam.d + $(INSTALL) -m 755 i3lock $(DESTDIR)$(PREFIX)/bin/i3lock +- $(INSTALL) -m 644 i3lock.pam $(DESTDIR)$(SYSCONFDIR)/pam.d/i3lock + + uninstall: + rm -f $(DESTDIR)$(PREFIX)/bin/i3lock +diff -Nur i3lock-2.8-orig/i3lock.1 i3lock-2.8/i3lock.1 +--- i3lock-2.8-orig/i3lock.1 2016-08-27 11:24:15.313880708 +0200 ++++ i3lock-2.8/i3lock.1 2016-08-27 11:25:01.863878761 +0200 +@@ -45,8 +45,6 @@ + You can specify either a background color or a PNG image which will be displayed while your screen is locked. + .IP \[bu] + You can specify whether i3lock should bell upon a wrong password. +-.IP \[bu] +-i3lock uses PAM and therefore is compatible with LDAP, etc. + + + .SH OPTIONS +@@ -75,7 +73,7 @@ + .B \-u, \-\-no-unlock-indicator + Disable the unlock indicator. i3lock will by default show an unlock indicator + after pressing keys. This will give feedback for every keypress and it will +-show you the current PAM state (whether your password is currently being ++show you the current state (whether your password is currently being + verified or whether it is wrong). + + .TP +@@ -104,7 +102,7 @@ + .TP + .B \-e, \-\-ignore-empty-password + When an empty password is provided by the user, do not validate +-it. Without this option, the empty password will be provided to PAM ++it. Without this option, the empty password will be checked + and, if invalid, the user will have to wait a few seconds before + another try. This can be useful if the XF86ScreenSaver key is used to + put a laptop to sleep and bounce on resume or if you happen to wake up +diff -Nur i3lock-2.8-orig/i3lock.c i3lock-2.8/i3lock.c +--- i3lock-2.8-orig/i3lock.c 2016-08-27 11:24:15.312880708 +0200 ++++ i3lock-2.8/i3lock.c 2016-08-27 11:24:24.068880341 +0200 +@@ -18,7 +18,6 @@ + #include <xcb/xkb.h> + #include <err.h> + #include <assert.h> +-#include <security/pam_appl.h> + #include <getopt.h> + #include <string.h> + #include <ev.h> +@@ -28,6 +27,8 @@ + #include <xkbcommon/xkbcommon-x11.h> + #include <cairo.h> + #include <cairo/cairo-xcb.h> ++#include <unistd.h> ++#include <shadow.h> + + #include "i3lock.h" + #include "xcb.h" +@@ -49,10 +50,10 @@ + uint32_t last_resolution[2]; + xcb_window_t win; + static xcb_cursor_t cursor; +-static pam_handle_t *pam_handle; + int input_position = 0; + /* Holds the password you enter (in UTF-8). */ + static char password[512]; ++const char *pws = NULL; + static bool beep = false; + bool debug_mode = false; + bool unlock_indicator = true; +@@ -80,6 +81,39 @@ + bool ignore_empty_password = false; + bool skip_repeated_empty_password = false; + ++/* ++ * Shamelessly stolen from slock. See LICENSE-slock. ++ * This adjusts the process' out of memory score, ++ * so it isn't killed by the kernel under any circumstances. ++ */ ++#ifdef __linux__ ++#include <fcntl.h> ++#include <linux/oom.h> ++#include <errno.h> ++ ++static void ++dontkillme(void) ++{ ++ int fd; ++ int length; ++ char value[64]; ++ ++ fd = open("/proc/self/oom_score_adj", O_WRONLY); ++ if (fd < 0 && errno == ENOENT) ++ return; ++ ++ /* convert OOM_SCORE_ADJ_MIN to string for writing */ ++ length = snprintf(value, sizeof(value), "%d\n", OOM_SCORE_ADJ_MIN); ++ ++ /* bail on truncation */ ++ if (length >= sizeof(value)) ++ errx(EXIT_FAILURE, "buffer too small\n"); ++ ++ if (fd < 0 || write(fd, value, length) != length || close(fd) != 0) ++ errx(EXIT_FAILURE, "cannot disable the out-of-memory killer for this process (make sure to suid or sgid i3lock)\n"); ++} ++#endif ++ + /* isutf, u8_dec © 2005 Jeff Bezanson, public domain */ + #define isutf(c) (((c)&0xC0) != 0x80) + +@@ -235,17 +269,10 @@ + unlock_state = STATE_STARTED; + redraw_screen(); + +- if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) { ++ if (!strcmp(crypt(password, pws), pws)) { + DEBUG("successfully authenticated\n"); + clear_password_memory(); + +- /* PAM credentials should be refreshed, this will for example update any kerberos tickets. +- * Related to credentials pam_end() needs to be called to cleanup any temporary +- * credentials like kerberos /tmp/krb5cc_pam_* files which may of been left behind if the +- * refresh of the credentials failed. */ +- pam_setcred(pam_handle, PAM_REFRESH_CRED); +- pam_end(pam_handle, PAM_SUCCESS); +- + exit(0); + } + +@@ -580,37 +607,6 @@ + } + + /* +- * Callback function for PAM. We only react on password request callbacks. +- * +- */ +-static int conv_callback(int num_msg, const struct pam_message **msg, +- struct pam_response **resp, void *appdata_ptr) { +- if (num_msg == 0) +- return 1; +- +- /* PAM expects an array of responses, one for each message */ +- if ((*resp = calloc(num_msg, sizeof(struct pam_response))) == NULL) { +- perror("calloc"); +- return 1; +- } +- +- for (int c = 0; c < num_msg; c++) { +- if (msg[c]->msg_style != PAM_PROMPT_ECHO_OFF && +- msg[c]->msg_style != PAM_PROMPT_ECHO_ON) +- continue; +- +- /* return code is currently not used but should be set to zero */ +- resp[c]->resp_retcode = 0; +- if ((resp[c]->resp = strdup(password)) == NULL) { +- perror("strdup"); +- return 1; +- } +- } +- +- return 0; +-} +- +-/* + * This callback is only a dummy, see xcb_prepare_cb and xcb_check_cb. + * See also man libev(3): "ev_prepare" and "ev_check" - customise your event loop + * +@@ -764,8 +760,6 @@ + struct passwd *pw; + char *username; + char *image_path = NULL; +- int ret; +- struct pam_conv conv = {conv_callback, NULL}; + int curs_choice = CURS_NONE; + int o; + int optind = 0; +@@ -791,6 +785,30 @@ + if ((username = pw->pw_name) == NULL) + errx(EXIT_FAILURE, "pw->pw_name is NULL.\n"); + ++ /* ++ * This piece of code is shamelessly stolen from slock. ++ * See LICENSE-slock. ++ */ ++#ifdef __linux__ ++ dontkillme(); ++#endif ++ ++ pws = pw->pw_passwd; ++ ++ if (pws[0] == 'x' && pws[1] == '\0') { ++ struct spwd *sp; ++ if (!(sp = getspnam(getenv("USER")))) ++ errx(EXIT_FAILURE, "cannot retrieve shadow entry (make sure to suid or sgid i3lock)\n"); ++ pws = sp->sp_pwdp; ++ } ++ ++ /* drop privileges */ ++ if (geteuid() == 0 && ++ ((getegid() != pw->pw_gid && setgid(pw->pw_gid) < 0) || setuid(pw->pw_uid) < 0)) ++ errx(EXIT_FAILURE, "cannot drop privileges\n"); ++ ++ /* End of stolen code */ ++ + char *optstring = "hvnbdc:p:ui:teI:f"; + while ((o = getopt_long(argc, argv, optstring, longopts, &optind)) != -1) { + switch (o) { +@@ -862,13 +880,6 @@ + * the unlock indicator upon keypresses. */ + srand(time(NULL)); + +- /* Initialize PAM */ +- if ((ret = pam_start("i3lock", username, &conv, &pam_handle)) != PAM_SUCCESS) +- errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret)); +- +- if ((ret = pam_set_item(pam_handle, PAM_TTY, getenv("DISPLAY"))) != PAM_SUCCESS) +- errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret)); +- + /* Using mlock() as non-super-user seems only possible in Linux. Users of other + * operating systems should use encrypted swap/no swap (or remove the ifdef and + * run i3lock as super-user). */ +diff -Nur i3lock-2.8-orig/i3lock.pam i3lock-2.8/i3lock.pam +--- i3lock-2.8-orig/i3lock.pam 2016-08-27 11:24:15.313880708 +0200 ++++ i3lock-2.8/i3lock.pam 1970-01-01 01:00:00.000000000 +0100 +@@ -1,6 +0,0 @@ +-# +-# PAM configuration file for the i3lock screen locker. By default, it includes +-# the 'login' configuration file (see /etc/pam.d/login) +-# +- +-auth include login diff --git a/desktop/i3lock/i3lock.SlackBuild b/desktop/i3lock/i3lock.SlackBuild new file mode 100644 index 0000000000..a9c54a216f --- /dev/null +++ b/desktop/i3lock/i3lock.SlackBuild @@ -0,0 +1,100 @@ +#!/bin/sh + +# Slackware build script for i3lock + +# Copyright 2016 mid-kid +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=i3lock +VERSION=${VERSION:-2.8} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.bz2 +cd $PRGNAM-$VERSION +chown -R root:root . +find -L . \ + \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ + -o -perm 511 \) -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ + -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; + +# Apply a patch that removes all the PAM-related code, +# and checks the password against shadow instead. +patch -p1 -i $CWD/i3lock-2.8-no-pam.patch + +make install DESTDIR=$PKG + +# i3lock needs suid to make sure it isn't killed and to read shadow. +# Don't worry, the privileges are dropped really soon after starting +# and everything else runs as your user. +chmod 4755 $PKG/usr/bin/i3lock + +find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +# Install the manpage +install -Dm644 i3lock.1 $PKG/usr/man/man1/i3lock.1 + +find $PKG/usr/man -type f -exec gzip -9 {} \; +for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a CHANGELOG LICENSE LICENSE-slock README.md $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/desktop/i3lock/i3lock.info b/desktop/i3lock/i3lock.info new file mode 100644 index 0000000000..889c44061a --- /dev/null +++ b/desktop/i3lock/i3lock.info @@ -0,0 +1,10 @@ +PRGNAM="i3lock" +VERSION="2.8" +HOMEPAGE="http://i3wm.org/i3lock/" +DOWNLOAD="http://i3wm.org/i3lock/i3lock-2.8.tar.bz2" +MD5SUM="89de7b7d46fdb05638122cf3c2512093" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="libev libxkbcommon" +MAINTAINER="mid-kid" +EMAIL="esteve.varela@gmail.com" diff --git a/desktop/i3lock/slack-desc b/desktop/i3lock/slack-desc new file mode 100644 index 0000000000..a0cc58f32f --- /dev/null +++ b/desktop/i3lock/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +i3lock: i3lock (a simple screen locker) +i3lock: +i3lock: i3lock is a simple screen locker like slock. +i3lock: After starting it, you will see a white screen +i3lock: (you can configure the color/an image). +i3lock: You can return to your screen by entering your password. +i3lock: +i3lock: This version is patched to not to use PAM. +i3lock: +i3lock: Homepage: http://i3wm.org/i3lock/ +i3lock: |