--- config.def.h | 4 ++++ config.mk | 2 +- slock.c | 26 +++++++++++++++++++++----- 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/config.def.h b/config.def.h index eae2d9a..6fba2b6 100644 --- a/config.def.h +++ b/config.def.h _AT_@ -1,3 +1,7 @@ +/* user and group to drop privileges to */ +static const char *user =3D "nobody"; +static const char *group =3D "nogroup"; + static const char *colorname[NUMCOLS] =3D { "black", /* after initialization */ "#005577", /* during input */ diff --git a/config.mk b/config.mk index 049305c..11357a7 100644 --- a/config.mk +++ b/config.mk _AT_@ -15,7 +15,7 @@ INCS =3D -I. -I/usr/include -I${X11INC} LIBS =3D -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr =20 # flags -CPPFLAGS =3D -DVERSION=3D\"${VERSION}\" -DHAVE_SHADOW_H +CPPFLAGS =3D -DVERSION=3D\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H CFLAGS =3D -std=3Dc99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS} LDFLAGS =3D -s ${LIBS} COMPATSRC =3D explicit_bzero.c diff --git a/slock.c b/slock.c index da4b099..d297fb0 100644 --- a/slock.c +++ b/slock.c _AT_@ -6,6 +6,7 @@ =20 #include <ctype.h> #include <errno.h> +#include <grp.h> #include <pwd.h> #include <stdarg.h> #include <stdlib.h> _AT_@ -83,7 +84,6 @@ dontkillme(void) } #endif =20 -/* only run as root */ static const char * getpw(void) { _AT_@ -119,10 +119,6 @@ getpw(void) } #endif /* HAVE_SHADOW_H */ =20 - /* drop privileges */ - if (geteuid() =3D=3D 0 && - ((getegid() !=3D pw->pw_gid && setgid(pw->pw_gid) < 0) || setuid(pw->= pw_uid) < 0)) - die("slock: cannot drop privileges\n"); return rval; } =20 _AT_@ -316,6 +312,8 @@ usage(void) =20 int main(int argc, char **argv) { + struct passwd *pwd; + struct group *grp; const char *pws; Display *dpy; int s, nlocks; _AT_@ -328,6 +326,16 @@ main(int argc, char **argv) { usage(); } ARGEND =20 + /* validate drop-user and -group */ + errno =3D 0; + if (!(pwd =3D getpwnam(user))) + die("slock: getpwnam %s: %s\n", user, errno ? + strerror(errno) : "user entry not found"); + errno =3D 0; + if (!(grp =3D getgrnam(group))) + die("slock: getgrnam %s: %s\n", group, errno ? + strerror(errno) : "group entry not found"); + #ifdef __linux__ dontkillme(); #endif _AT_@ -339,6 +347,14 @@ main(int argc, char **argv) { if (!(dpy =3D XOpenDisplay(NULL))) die("slock: cannot open display\n"); =20 + /* drop privileges */ + if (setgroups(0, NULL) < 0) + die("slock: setgroups: %s\n", strerror(errno)); + if (setgid(grp->gr_gid) < 0) + die("slock: setgid: %s\n", strerror(errno)); + if (setuid(pwd->pw_uid) < 0) + die("slock: setuid: %s\n", strerror(errno)); + /* check for Xrandr support */ rr =3D XRRQueryExtension(dpy, &rrevbase, &rrerrbase); =20 --=20 2.7.3Received on Mon Sep 17 2001 - 00:00:00 CEST
This archive was generated by hypermail 2.3.0 : Wed Sep 07 2016 - 17:12:12 CEST