From b9050914a87578a38b52ad197cbbb34574eb03e7 Mon Sep 17 00:00:00 2001
From: Baptiste Daroussin <bapt@FreeBSD.org>
Date: Wed, 12 Jul 2023 09:24:06 +0200
Subject: [PATCH] i3lock: remove the setuid bit

Following swaylock example, by using unix-selfauth-helper and pam_exec
we can avoid requiring setuid bit on i3lock.

Reported by:	Mateusz Kocielski <shm@digitalsun.pl>
---
 deskutils/i3lock/Makefile            | 11 +++++++++--
 deskutils/i3lock/files/i3lock.pam.in |  7 +++++++
 2 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 deskutils/i3lock/files/i3lock.pam.in

diff --git a/deskutils/i3lock/Makefile b/deskutils/i3lock/Makefile
index 78a0426807db6..a269e22cd3cc4 100644
--- a/deskutils/i3lock/Makefile
+++ b/deskutils/i3lock/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	i3lock
 PORTVERSION=	2.13
+PORTREVISION=	1
 CATEGORIES=	deskutils x11
 MASTER_SITES=	http://i3wm.org/${PORTNAME}/
 
@@ -19,12 +20,17 @@ LIB_DEPENDS=	libcairo.so:graphics/cairo \
 		libxcb-util.so:x11/xcb-util \
 		libxcb-xrm.so:x11/xcb-util-xrm
 
+RUN_DEPENDS=	unix-selfauth-helper>0:security/unix-selfauth-helper
+
 MAKE_ARGS=	PREFIX="${PREFIX}" X11LIB="${LOCALBASE}/lib" \
 		X11INC="${LOCALBASE}/include" CC="${CC}" \
 		MANDIR="${MANPREFIX}/man"
 
-PLIST_FILES=	"@(,,4755) bin/i3lock" \
-		man/man1/i3lock.1.gz
+PLIST_FILES=	bin/i3lock \
+		man/man1/i3lock.1.gz \
+		etc/pam.d/i3lock
+
+SUB_FILES=	i3lock.pam
 
 USES=		gmake iconv localbase pkgconfig tar:bzip2 xorg
 LDFLAGS+=	${ICONV_LIB}
@@ -41,6 +47,7 @@ OPTIONS_DEFINE=	DOCS
 post-install:
 	@${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/i3lock
 	@${RM} ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock
+	@${INSTALL_DATA} ${WRKDIR}/i3lock.pam ${STAGEDIR}${PREFIX}/etc/pam.d/i3lock
 
 post-install-DOCS-on:
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
diff --git a/deskutils/i3lock/files/i3lock.pam.in b/deskutils/i3lock/files/i3lock.pam.in
new file mode 100644
index 0000000000000..942be88359ac3
--- /dev/null
+++ b/deskutils/i3lock/files/i3lock.pam.in
@@ -0,0 +1,7 @@
+#
+# PAM configuration for the "i3lock" service. i3lock(1) only uses
+# auth facilities.
+#
+
+auth sufficient pam_exec.so return_prog_exit_status expose_authtok %%LOCALBASE%%/libexec/unix-selfauth-helper
+auth include system