xlockmore port improvements patch

Some time ago I send PR about PAM support in xlockmore. Now I spend some time to work on xlockmore. I found that PAM works fine by default (with --enable-pam), but only with modules that does not requires root rights to authenticate. But almost all PAM configurations ends with pam_unix call. Here is the trouble. xlock drops root privileges after startup. I use BAD_PAM again to wrap this setuid(). IMHO, usage of BAD_PAM is right in this case. Also abort trap was fixed. Here was error in PAM_conv function. I'll send explanations of changes and situation to xlock-discuss mailing list later. May be fixes will be committed into next release of xlockmore. Here is attached diff against xlockmore port. It makes some changes in Makefile and drops two patches to files dir. New knobs added to Makefile and some old changed. Here is the description: - OPTIONS added for interactive configuration of xlockmore (make config). - WITH_PAM - enable common PAM support in xlock, but does not define BAD_PAM. So PAM modules that does not require root rights can be used (pam_pwdfile e.g.). - WITH_BAD_PAM - enable WITH_PAM and define BAD_PAM in config.h after 'configure'. So all PAM modules can be used, including pam_unix. - WITH_NICE_ONLY - enable only low-CPU modes. Good for old machines. - WITH_BLANK_ONLY - enable only 'blank' mode. Can be useful in some cases. PR: ports/90276 Submitted by: Yuri Y. Bushmelev <jay-dev@simcom.ru>
author: Edwin Groothuis <edwin@FreeBSD.org> 2005-12-12 21:18:26 +0000
committer: Edwin Groothuis <edwin@FreeBSD.org> 2005-12-12 21:18:26 +0000
commit: 5d5a063ca2e34665db3eb356db94ca1f3b26a653 (patch)
tree: dc7bececce36d1da4966e5315b8f8bf38fc7a04a /x11/xlockmore
parent: Fix MASTER_SITES. (diff)
3 files changed, 114 insertions, 2 deletions
diff --git a/x11/xlockmore/Makefile b/x11/xlockmore/Makefile
index f7681fbbda74..8185360b9f5e 100644
--- a/x11/xlockmore/Makefile
+++ b/x11/xlockmore/Makefile
@@ -35,6 +35,15 @@ USE_X_PREFIX=	yes
 USE_XPM=	yes
 MAN1=		xlock.1
 
+OPTIONS=MESAGL			"Enable Mesa 3D (for GL modes)"		off \
+	MB			"Enable Xmb function series"		off \
+	SYSLOG			"Enable syslog logging"			off \
+	DISABLE_ALLOW_ROOT	"Allows users to turn off allowroot"	off \
+	NICE_ONLY		"Enable only low cpu modes"		off \
+	BLANK_ONLY		"Enable blank mode only (boring)"	off \
+	PAM			"Enable PAM authentication support"	off \
+	BAD_PAM			"Xlock will ask PAM with root rights"	off
+
 .include <bsd.port.pre.mk>
 
 .if ${ARCH} == amd64
@@ -54,12 +63,24 @@ CONFIGURE_ARGS+=	--without-mesa --without-opengl
 CONFIGURE_ARGS+=	--enable-nice-only
 .endif
 
+.if defined(WITH_BAD_PAM) && !defined(WITH_PAM)
+WITH_PAM=	yes
+.endif
+
 .if defined(WITH_PAM)
 CONFIGURE_ARGS+=	--enable-pam
 .endif
 
+.if defined(WITH_NICE_ONLY)
+CONFIGURE_ARGS+=	--enable-nice-only
+.endif
+
+.if defined(WITH_BLANK_ONLY)
+CONFIGURE_ARGS+=	--enable-blank-only
+.endif
+
 .if defined(WITH_MB)
-CONFIGURE_ARGS+=	--enable-use_mb
+CONFIGURE_ARGS+=	--enable-use-mb
 .endif
 
 .if defined(XLOCKMORE_LANG)
@@ -76,10 +97,22 @@ CONFIGURE_ENV+=		XLOCKLIBS="${KRB5LIB} ${KRB4LIB} ${MESALIB}"
 CONFIGURE_ARGS+=	--disable-allow-root
 .endif
 
-.if ${X_WINDOW_SYSTEM:L} != xfree86-3
+.if defined(WITH_PAM) && !defined (WITH_BAD_PAM)
+pre-extract:
+	@${ECHO}
+	@${ECHO} "You have enabled PAM support. If you want to authenticate against"
+	@${ECHO} "root only accessible PAM modules then define WITH_BAD_PAM=yes also."
+	@${ECHO} "For example, pam_unix requires root rights to access shadow passwords."
+	@${ECHO}
+.endif
+
 post-configure:
+.if ${X_WINDOW_SYSTEM:L} != xfree86-3
 	${REINPLACE_CMD} -e 's/-lXdpms//g' ${WRKSRC}/modes/Makefile
 .endif
+.if defined(WITH_BAD_PAM)
+	 ${REINPLACE_CMD} -e 's|/\* #define BAD_PAM \*/|#define BAD_PAM|g' ${WRKSRC}/config.h
+.endif
 
 PLIST_FILES=	bin/xlock lib/X11/app-defaults/XLock
 
diff --git a/x11/xlockmore/files/patch-pam-passwd.c b/x11/xlockmore/files/patch-pam-passwd.c
new file mode 100644
index 000000000000..e2f4e4341ebe
--- /dev/null
+++ b/x11/xlockmore/files/patch-pam-passwd.c
@@ -0,0 +1,62 @@
+--- ../xlockmore-5.20.1.orig/xlock/passwd.c	Mon Sep 26 17:11:20 2005
++++ xlock/passwd.c	Mon Dec 12 15:04:31 2005
+@@ -304,6 +304,16 @@
+ 	reply = (struct pam_response *) malloc(sizeof (struct pam_response) *
+ 					       num_msg);
+ 
++// reply[] members is not initialized!
++// As a result - abort trap when PAM tries to free reply structure
++// after PAM_ERROR_MSG processing.
++
++// So I just initialize reply here with default values and drop
++// initialization from code below (if code matches).
++
++	reply[replies].resp_retcode = PAM_SUCCESS; // be optimistic
++	reply[replies].resp = NULL;
++
+ 	if (!reply)
+ 		return PAM_CONV_ERR;
+ 
+@@ -325,7 +335,6 @@
+ 			  }
+ 			  else
+ 			  {
+-			    reply[replies].resp_retcode = PAM_SUCCESS;
+ 			    reply[replies].resp = COPY_STRING(PAM_password);
+ 			  }
+ #ifdef DEBUG
+@@ -340,11 +349,6 @@
+ 			  {
+ 			    PAM_putText( msg[replies], &reply[replies], False );
+ 			  }
+-			  else
+-			  {
+-			    reply[replies].resp_retcode = PAM_SUCCESS;
+-			    reply[replies].resp = NULL;
+-			  }
+ #ifdef DEBUG
+ 			        (void) printf( "Back From PAM_putText: PAM_PROMPT_ECHO_ON\n" );
+ 			        (void) printf( "Response is: (%s)\n, Return Code is: (%d)\n",
+@@ -357,11 +361,7 @@
+ 			  {
+ 			    PAM_putText( msg[replies], &reply[replies], False );
+ 			  }
+-			  else
+-			  {
+-			    reply[replies].resp_retcode = PAM_SUCCESS;
+-			    reply[replies].resp = NULL;
+-			  }
++				/* PAM frees resp */
+ #ifdef DEBUG
+ 			        (void) printf( "Back From PAM_putText: PAM_PROMPT_ECHO_ON\n" );
+ 			        (void) printf( "Response is: (%s)\n, Return Code is: (%d)\n",
+@@ -1205,8 +1205,7 @@
+ 	pam_error = pam_authenticate(pamh, 0);
+ 	if (pam_error != PAM_SUCCESS) {
+                 if (!allowroot) {
+-                        pam_end(pamh, 0);
+-                        return False;
++					PAM_BAIL;
+                 }
+ 
+ 		/* Try as root; bail if no success there either */
diff --git a/x11/xlockmore/files/patch-pam-xlock.c b/x11/xlockmore/files/patch-pam-xlock.c
new file mode 100644
index 000000000000..cd4df5f0f2dd
--- /dev/null
+++ b/x11/xlockmore/files/patch-pam-xlock.c
@@ -0,0 +1,17 @@
+--- ../xlockmore-5.20.1.orig/xlock/xlock.c	Thu Oct 27 04:09:29 2005
++++ xlock/xlock.c	Mon Dec 12 14:56:05 2005
+@@ -3316,7 +3316,14 @@
+ #ifdef USE_VTLOCK
+ 	if (!vtlock)
+ #endif
++#ifdef BAD_PAM
++		(void) seteuid(ruid);
++#else
+ 		(void) setuid(ruid);
++#endif
++// #ifdef BAD_PAM ... #endif above will be added to prevent xlock from
++// dropping privileges when using PAM modules, that needs root rights
++// (pam_unix e.g.)
+ 
+ #if 0
+ 	/* synchronize -- so I am aware of errors immediately */
author	Edwin Groothuis <edwin@FreeBSD.org>	2005-12-12 21:18:26 +0000
committer	Edwin Groothuis <edwin@FreeBSD.org>	2005-12-12 21:18:26 +0000
commit	5d5a063ca2e34665db3eb356db94ca1f3b26a653 (patch)
tree	dc7bececce36d1da4966e5315b8f8bf38fc7a04a /x11/xlockmore
parent	Fix MASTER_SITES. (diff)