Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FreeBSD support #43

Closed
divVerent opened this issue Sep 17, 2018 · 6 comments · Fixed by #45
Closed

FreeBSD support #43

divVerent opened this issue Sep 17, 2018 · 6 comments · Fixed by #45

Comments

@divVerent
Copy link
Contributor

I'd like to support FreeBSD somehow.

Issues with FreeBSD:

  • As we use -std=c11, we can't use gettimeofday() in until_nonidle. There seems to be no workaround other than not enabling C11.
  • pam_unix cannot check one's own password (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194604). We probably need our own setuid root helper binary. Making auth_pam_x11 setuid root would probably work but is absolutely not advised. As a current workaround, users could install pam_pwdfile and use a htpasswd-like file.

The former is easy to solve by build script hackery, although I don't quite like it; the latter however is a major obstacle for any screen locker.
@divVerent
Copy link
Contributor Author

xscreensaver solves the latter problem by being setuid root (same as chmod +s .../auth_pam_x11). Sure works, but absolutely not recommended, as a bug in auth_pam_x11 then could be used to take over the system.

@divVerent
Copy link
Contributor Author

Build fix: 7f12231#diff-c2c3081275569a523f7b887c77722c5b

Warning fix: 7b8f363

What remains is unfortunately a larger thing - seems like the one way forward is to move the PAM conversation from auth_pam_x11 into a separate binary. That one then can be made setuid root.

@divVerent
Copy link
Contributor Author

slock, xtrlock, metalock also all are setuid root on FreeBSD.

Still, not gonna do that for a screen locker that claims to be secure. auth_pam_x11 does quite a lot nowadays (even keyboard layout switching), could totally imagine that a bug inside libxkb would be exploitable.

Now the good news is, the separate PAM auth process might be a good idea on Linux too, so we could be sure to exercise this to be created interface everywhere. That way we're sure to notice possible bugs, and don't need two interfaces inside auth_pam_x11.

@divVerent
Copy link
Contributor Author

Looks like on openbsd, setgid auth would be a somewhat better option; unfortunately /etc/spwd.db is root:wheel 600 on FreeBSD, so that's not an option here.

divVerent added a commit that referenced this issue Sep 24, 2018
@divVerent
Add an authproto_pam helper that communicates with PAM.
7f73b15 
This is now used by auth_pam_x11 as sole backend. It can be made
setuid/setgid where necessary to authenticate local users (e.g. on
FreeBSD).

Also renames auth_pam_x11 to auth_x11, and moves auth_htpasswd and
auth_pamtester to authprotos that can be used with auth_x11.

Will fix #43.
@divVerent divVerent mentioned this issue Sep 24, 2018
Merged
divVerent added a commit that referenced this issue Sep 24, 2018
@divVerent
Add an authproto_pam helper that communicates with PAM.
6d95e1a 
This is now used by auth_pam_x11 as sole backend. It can be made
setuid/setgid where necessary to authenticate local users (e.g. on
FreeBSD).

Also renames auth_pam_x11 to auth_x11, and moves auth_htpasswd and
auth_pamtester to authprotos that can be used with auth_x11.

Will fix #43.
@divVerent
Copy link
Contributor Author

Confirmed that the upcoming commit will fix the issue on FreeBSD (one will still have to manually chmod +s authproto_pam).

divVerent added a commit that referenced this issue Sep 25, 2018
@divVerent
Add an authproto_pam helper that communicates with PAM.
a038969 
This is now used by auth_pam_x11 as sole backend. It can be made
setuid/setgid where necessary to authenticate local users (e.g. on
FreeBSD).

Also renames auth_pam_x11 to auth_x11, and moves auth_htpasswd and
auth_pamtester to authprotos that can be used with auth_x11.

Will fix #43.
@divVerent
Copy link
Contributor Author

divVerent commented Sep 27, 2018
edited

Current version of the authproto branch now works also on OpenBSD, provided one installs the openpam port.

Installation notes have been updated in 2789d16 to cover FreeBSD and OpenBSD specifics.

divVerent added a commit that referenced this issue Sep 28, 2018
@divVerent
Add an authproto_pam helper that communicates with PAM. (#45)
211f632 
Add an authproto_pam helper that communicates with PAM.

This is now used by auth_pam_x11 as sole backend. It can be made
setuid/setgid where necessary to authenticate local users (e.g. on
FreeBSD).

Also renames auth_pam_x11 to auth_x11, and moves auth_htpasswd and
auth_pamtester to authprotos that can be used with auth_x11.

Will fix #43.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add an authproto_pam helper that communicates with PAM. google/xsecurelock
1 participant
@divVerent