-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FreeBSD support #43
Comments
xscreensaver solves the latter problem by being setuid root (same as chmod +s .../auth_pam_x11). Sure works, but absolutely not recommended, as a bug in auth_pam_x11 then could be used to take over the system. |
Build fix: 7f12231#diff-c2c3081275569a523f7b887c77722c5b Warning fix: 7b8f363 What remains is unfortunately a larger thing - seems like the one way forward is to move the PAM conversation from auth_pam_x11 into a separate binary. That one then can be made setuid root. |
slock, xtrlock, metalock also all are setuid root on FreeBSD. Still, not gonna do that for a screen locker that claims to be secure. auth_pam_x11 does quite a lot nowadays (even keyboard layout switching), could totally imagine that a bug inside libxkb would be exploitable. Now the good news is, the separate PAM auth process might be a good idea on Linux too, so we could be sure to exercise this to be created interface everywhere. That way we're sure to notice possible bugs, and don't need two interfaces inside auth_pam_x11. |
Looks like on openbsd, setgid auth would be a somewhat better option; unfortunately /etc/spwd.db is root:wheel 600 on FreeBSD, so that's not an option here. |
This is now used by auth_pam_x11 as sole backend. It can be made setuid/setgid where necessary to authenticate local users (e.g. on FreeBSD). Also renames auth_pam_x11 to auth_x11, and moves auth_htpasswd and auth_pamtester to authprotos that can be used with auth_x11. Will fix #43.
This is now used by auth_pam_x11 as sole backend. It can be made setuid/setgid where necessary to authenticate local users (e.g. on FreeBSD). Also renames auth_pam_x11 to auth_x11, and moves auth_htpasswd and auth_pamtester to authprotos that can be used with auth_x11. Will fix #43.
Confirmed that the upcoming commit will fix the issue on FreeBSD (one will still have to manually chmod +s authproto_pam). |
This is now used by auth_pam_x11 as sole backend. It can be made setuid/setgid where necessary to authenticate local users (e.g. on FreeBSD). Also renames auth_pam_x11 to auth_x11, and moves auth_htpasswd and auth_pamtester to authprotos that can be used with auth_x11. Will fix #43.
Current version of the authproto branch now works also on OpenBSD, provided one installs the openpam port. Installation notes have been updated in 2789d16 to cover FreeBSD and OpenBSD specifics. |
Add an authproto_pam helper that communicates with PAM. This is now used by auth_pam_x11 as sole backend. It can be made setuid/setgid where necessary to authenticate local users (e.g. on FreeBSD). Also renames auth_pam_x11 to auth_x11, and moves auth_htpasswd and auth_pamtester to authprotos that can be used with auth_x11. Will fix #43.
I'd like to support FreeBSD somehow.
Issues with FreeBSD:
The former is easy to solve by build script hackery, although I don't quite like it; the latter however is a major obstacle for any screen locker.
The text was updated successfully, but these errors were encountered: