Re: [hackers] [slock] Unify how we check passwords between different OSes

From: Quentin Rameau <quinq_AT_fifth.space>
Date: Wed, 7 Sep 2016 12:13:20 +0200

> Heyho Quentin,
>
> thanks for the update.
:)

> Quentin Rameau wrote:
> > diff --git a/config.mk b/config.mk
> > …
> > -# Install mode. On BSD systems MODE=2755 and GROUP=auth
> > -# On others MODE=4755 and GROUP=root
> > -#MODE=2755
> > -#GROUP=auth
>
> There was a patch some time ago making use of those variables. If the file
> permissions and owner/group have to be different on BSD, this should be kept
> (but actually updated in the Makefile to be used), since config.mk is the place
> for system dependent adaptions of the build, not Makefile. If they are the same
> on the BSDs, this block can be removed of course.
These variables seems to be about the auth_userokay() which we remove
anyway with this patch.
The “new” auth mechanism just needs root privileges to access the shadow
passwords, having the binary setuid to root should be enough everywhere.
I can't see another use for those, do you?

> > diff --git a/slock.c b/slock.c
> > …
> > +#else
> > + if (rval[0] == '*' && rval[1] == '\0') {
> > +#ifdef __OpenBSD__
> > + if (!(pw = getpwnam_shadow(getenv("USER"))))
> > + die("cannot retrieve shadow entry (make sure to suid or sgid slock)\n");
> > + rval = pw->pw_passwd;
> > +#else
> > + die("cannot retrieve shadow entry (make sure to suid or sgid slock)\n");
> > +#endif /* __OpenBSD__ */
> > + }
> > +#endif /* HAVE_SHADOW_H */
>
> We should probably use another error message in the not __OpenBSD__ case, maybe
> something like "slock: unknown shadow passwd system\n". Also please add the
> "slock: " prefix to the other die() call.
The second message is right here: if we got a pw->pw_passwd being "*",
it means that we didn't have access to the shadow password in the first
pass, which is how it works on other systems (those being the one stated
in the previous mail).
Received on Wed Sep 07 2016 - 12:13:20 CEST