5559N/AFrom 53a079ae5ba815381fd94cace1a56cd2841e09ed Mon Sep 17 00:00:00 2001

5559N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>

5559N/ADate: Sat, 2 Jan 2016 20:56:50 -0800

5559N/ASubject: [PATCH] allow root

5559N/A

5398N/AFix for: Bug 15155994 - SUNBT4849641 xscreensaver won't run as root

5398N/A

5398N/ALet root lock the screen, but don't launch the hacks for root.

5398N/A

5398N/ARejected by upstream because upstream author argues instead that users should

5398N/Anot login as root, which is correct, but not something we can force all of

5398N/Aour customers to stop doing.

5398N/A

5398N/ASee http://www.jwz.org/xscreensaver/faq.html#root-lock for his side.

5398N/A---

5559N/A driver/demo-Gtk.c | 18 ++++++++++++++++++

5559N/A driver/exec.c | 2 ++

5559N/A driver/setuid.c | 12 ++++++++++++

5559N/A driver/subprocs.c | 3 +++

5559N/A driver/timers.c | 2 +-

5559N/A driver/xscreensaver.c | 7 ++++---

5559N/A 6 files changed, 40 insertions(+), 4 deletions(-)

5398N/A

5398N/Adiff --git a/driver/demo-Gtk.c b/driver/demo-Gtk.c

5559N/Aindex ece3c44..d4cc4a5 100644

5398N/A--- a/driver/demo-Gtk.c

5398N/A+++ b/driver/demo-Gtk.c

5559N/A@@ -713,6 +713,14 @@ run_hack (state *s, int list_elt, Bool report_errors_p)

5398N/A char *err = 0;

5398N/A int status;

5398N/A

5398N/A+ if (getuid () == 0)

5398N/A+ {

5398N/A+ char buf [255];

5398N/A+ strlcpy (buf, _("Can not run hacks if logged in as root!"), sizeof(buf));

5398N/A+ warning_dialog (s->toplevel_widget, buf, False, 100);

5398N/A+ return;

5398N/A+ }

5398N/A+

5398N/A if (list_elt < 0) return;

5398N/A hack_number = s->list_elt_to_hack_number[list_elt];

5398N/A

5559N/A@@ -5173,6 +5181,15 @@ main (int argc, char **argv)

5398N/A GtkMenu *menu = GTK_MENU (gtk_option_menu_get_menu (opt));

5398N/A GList *kids = gtk_container_children (GTK_CONTAINER (menu));

5398N/A int i;

5398N/A+

5398N/A+ if (getuid () == 0)

5398N/A+ {

5398N/A+ /* If logged in as root disable menu so user can't activate a hack. */

5398N/A+ gtk_widget_set_sensitive (GTK_WIDGET (opt), False);

5398N/A+ gtk_widget_set_sensitive (GTK_WIDGET (menu), False);

5398N/A+ }

5398N/A+ else

5398N/A+ {

5398N/A for (i = 0; kids; kids = kids->next, i++)

5398N/A {

5398N/A gtk_signal_connect (GTK_OBJECT (kids->data), "activate",

5559N/A@@ -5186,6 +5203,7 @@ main (int argc, char **argv)

5398N/A mode_menu_order[i] == RANDOM_HACKS_SAME)

5398N/A gtk_widget_hide (GTK_WIDGET (kids->data));

5398N/A }

5398N/A+ }

5398N/A

5398N/A if (s->nscreens <= 1) /* recompute option-menu size */

5398N/A {

5398N/Adiff --git a/driver/exec.c b/driver/exec.c

5559N/Aindex 38ca88a..b68089e 100644

5398N/A--- a/driver/exec.c

5398N/A+++ b/driver/exec.c

5398N/A@@ -186,6 +186,7 @@ exec_command (const char *shell, const char *command, int nice_level)

5398N/A hairy_p = !!strpbrk (command, "*?$&!<>[];`'\\\"=");

5398N/A /* note: = is in the above because of the sh syntax "FOO=bar cmd". */

5398N/A

5398N/A+#ifdef DONT_ALLOW_ROOT_LOGIN

5398N/A if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)

5398N/A {

5398N/A /* If you're thinking of commenting this out, think again.

5398N/A@@ -196,6 +197,7 @@ exec_command (const char *shell, const char *command, int nice_level)

5398N/A blurb());

5398N/A exit (-1);

5398N/A }

5398N/A+#endif /*DONT_ALLOW_ROOT_LOGIN*/

5398N/A

5398N/A if (hairy_p)

5398N/A /* If it contains any shell metacharacters, do it the hard way,

5398N/Adiff --git a/driver/setuid.c b/driver/setuid.c

5559N/Aindex a17194a..e3aa78d 100644

5398N/A--- a/driver/setuid.c

5398N/A+++ b/driver/setuid.c

5398N/A@@ -121,6 +121,10 @@ set_ids_by_number (uid_t uid, gid_t gid, char **message_ret)

5398N/A struct passwd *p = getpwuid (uid);

5398N/A struct group *g = getgrgid (gid);

5398N/A

5398N/A+ /* if we are logged in as root i.e. uid==0 then dont do anything*/

5398N/A+ if (getuid () == (uid_t) 0)

5398N/A+ return 0;

5398N/A+

5398N/A if (message_ret)

5398N/A *message_ret = 0;

5398N/A

5398N/A@@ -278,11 +282,13 @@ hack_uid (saver_info *si)

5398N/A of the xscreensaver manual titled "LOCKING AND ROOT LOGINS",

5398N/A and "USING XDM".

5398N/A */

5398N/A+#ifdef DONT_ALLOW_ROOT_LOGIN

5398N/A if (getuid() == (uid_t) 0)

5398N/A {

5398N/A si->locking_disabled_p = True;

5398N/A si->nolock_reason = "running as root";

5398N/A }

5398N/A+#endif /*DONT_ALLOW_ROOT_LOGIN*/

5398N/A

5398N/A

5398N/A /* If we're running as root, switch to a safer user. This is above and

5398N/A@@ -297,6 +303,8 @@ hack_uid (saver_info *si)

5398N/A of the xscreensaver manual titled "LOCKING AND ROOT LOGINS",

5398N/A and "USING XDM".

5398N/A */

5398N/A+/* We are letting root login to fix a P1 bug, i.e. root should lock screen*/

5398N/A+#ifdef DONT_ALLOW_ROOT_LOGIN

5398N/A if (getuid() == (uid_t) 0)

5398N/A {

5398N/A struct passwd *p;

5398N/A@@ -315,6 +323,7 @@ hack_uid (saver_info *si)

5398N/A if (set_ids_by_number (p->pw_uid, p->pw_gid, &si->uid_message) != 0)

5398N/A saver_exit (si, -1, 0);

5398N/A }

5398N/A+#endif /*DONT_ALLOW_ROOT_LOGIN*/

5398N/A

5398N/A

5398N/A /* If there's anything even remotely funny looking about the passwd struct,

5398N/A@@ -357,7 +366,10 @@ hack_uid (saver_info *si)

5398N/A (p && p->pw_name && *p->pw_name

5398N/A ? p->pw_name : "<unknown>"));

5398N/A si->nolock_reason = buf;

5398N/A+

5398N/A+#ifdef DONT_ALLOW_ROOT_LOGIN

5398N/A si->locking_disabled_p = True;

5398N/A+#endif

5398N/A si->dangerous_uid_p = True;

5398N/A }

5398N/A }

5398N/Adiff --git a/driver/subprocs.c b/driver/subprocs.c

5559N/Aindex a244f36..c975813 100644

5398N/A--- a/driver/subprocs.c

5398N/A+++ b/driver/subprocs.c

5559N/A@@ -947,6 +947,9 @@ spawn_screenhack (saver_screen_info *ssi)

5398N/A saver_preferences *p = &si->prefs;

5398N/A char* complete_hack_command;

5398N/A

5398N/A+ if (getuid () == 0)

5398N/A+ return; /* Dont let hacks run if logged in as root*/

5398N/A+

5398N/A if (si->prefs.verbose_p)

5398N/A fprintf(stderr, "--> spawn_screenhack()\n");

5398N/A

5398N/Adiff --git a/driver/timers.c b/driver/timers.c

5559N/Aindex 9afc752..32728a0 100644

5398N/A--- a/driver/timers.c

5398N/A+++ b/driver/timers.c

5559N/A@@ -284,7 +284,7 @@ cycle_timer (XtPointer closure, XtIntervalId *id)

5398N/A

5398N/A raise_window (si, True, True, False);

5398N/A

5398N/A- if (!si->throttled_p)

5398N/A+ if (!si->throttled_p && getuid () != 0)

5398N/A for (i = 0; i < si->nscreens; i++)

5398N/A spawn_screenhack (&si->screens[i]);

5398N/A else

5398N/Adiff --git a/driver/xscreensaver.c b/driver/xscreensaver.c

5559N/Aindex 33d357a..f357281 100644

5398N/A--- a/driver/xscreensaver.c

5398N/A+++ b/driver/xscreensaver.c

5559N/A@@ -487,6 +487,7 @@ startup_ehandler (String name, String type, String class,

5398N/A

5398N/A describe_uids (si, stderr);

5398N/A

5398N/A+#ifdef DONT_ALLOW_ROOT_LOGIN

5398N/A if (si->orig_uid && !strncmp (si->orig_uid, "root/", 5))

5398N/A {

5398N/A fprintf (stderr, "\n"

5559N/A@@ -500,11 +501,11 @@ startup_ehandler (String name, String type, String class,

5398N/A blurb());

5398N/A }

5398N/A else

5398N/A+#endif /*DONT_ALLOW_ROOT_LOGIN*/

5398N/A {

5398N/A fprintf (stderr, "\n"

5398N/A "%s: Errors at startup are usually authorization problems.\n"

5398N/A-" But you're not logging in as root (good!) so something\n"

5398N/A-" else must be wrong. Did you read the manual and the FAQ?\n",

5398N/A+" Did you read the manual and the FAQ?\n",

5398N/A blurb());

5398N/A }

5398N/A

5559N/A@@ -1338,7 +1339,7 @@ main_loop (saver_info *si)

5398N/A kill_screenhack (&si->screens[i]);

5398N/A

5398N/A raise_window (si, True, True, False);

5398N/A- if (si->throttled_p)

5398N/A+ if (si->throttled_p || getuid () == 0)

5398N/A fprintf (stderr, "%s: not launching hack (throttled.)\n", blurb());

5398N/A else

5398N/A for (i = 0; i < si->nscreens; i++)

5559N/A--

5559N/A2.6.1

5559N/A