diff options
Diffstat (limited to '')
| -rw-r--r-- | config.def.h | 4 | ||||
| -rw-r--r-- | config.mk | 2 | ||||
| -rw-r--r-- | slock.c | 30 |
3 files changed, 30 insertions, 6 deletions
diff --git a/config.def.h b/config.def.h index eae2d9a..6fba2b6 100644 --- a/config.def.h +++ b/config.def.h @@ -1,3 +1,7 @@ +/* user and group to drop privileges to */ +static const char *user = "nobody"; +static const char *group = "nogroup"; + static const char *colorname[NUMCOLS] = { "black", /* after initialization */ "#005577", /* during input */ @@ -15,7 +15,7 @@ INCS = -I. -I/usr/include -I${X11INC} LIBS = -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr # flags -CPPFLAGS = -DVERSION=\"${VERSION}\" -DHAVE_SHADOW_H +CPPFLAGS = -DVERSION=\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H CFLAGS = -std=c99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS} LDFLAGS = -s ${LIBS} COMPATSRC = explicit_bzero.c @@ -6,6 +6,7 @@ #include <ctype.h> #include <errno.h> +#include <grp.h> #include <pwd.h> #include <stdarg.h> #include <stdlib.h> @@ -83,7 +84,6 @@ dontkillme(void) } #endif -/* only run as root */ static const char * getpw(void) { @@ -119,10 +119,6 @@ getpw(void) } #endif /* HAVE_SHADOW_H */ - /* drop privileges */ - if (geteuid() == 0 && - ((getegid() != pw->pw_gid && setgid(pw->pw_gid) < 0) || setuid(pw->pw_uid) < 0)) - die("slock: cannot drop privileges\n"); return rval; } @@ -316,6 +312,10 @@ usage(void) int main(int argc, char **argv) { + struct passwd *pwd; + struct group *grp; + uid_t duid; + gid_t dgid; const char *pws; Display *dpy; int s, nlocks; @@ -328,6 +328,18 @@ main(int argc, char **argv) { usage(); } ARGEND + /* validate drop-user and -group */ + errno = 0; + if (!(pwd = getpwnam(user))) + die("slock: getpwnam %s: %s\n", user, errno ? + strerror(errno) : "user entry not found"); + duid = pwd->pw_uid; + errno = 0; + if (!(grp = getgrnam(group))) + die("slock: getgrnam %s: %s\n", group, errno ? + strerror(errno) : "group entry not found"); + dgid = grp->gr_gid; + #ifdef __linux__ dontkillme(); #endif @@ -339,6 +351,14 @@ main(int argc, char **argv) { if (!(dpy = XOpenDisplay(NULL))) die("slock: cannot open display\n"); + /* drop privileges */ + if (setgroups(0, NULL) < 0) + die("slock: setgroups: %s\n", strerror(errno)); + if (setgid(dgid) < 0) + die("slock: setgid: %s\n", strerror(errno)); + if (setuid(duid) < 0) + die("slock: setuid: %s\n", strerror(errno)); + /* check for Xrandr support */ rr = XRRQueryExtension(dpy, &rrevbase, &rrerrbase); |