Re: i3lock - spec file

[Mateusz Kocielski]

Dnia Tue, Jul 11, 2023 at 03:59:41PM +0000, Mateusz Kocielski napisał(a):
> > That's peculiar -- what screen locker needs suid bit for? Why wheel
> > group?
> 
> Wheel group is taken from my BSD heritage I guess, fixed it. :) It requires
> PAM for an authentication.
> 
> > > %{_mandir}/man1/i3lock.1*

Hi,

 those suid privileges were bothering me and I did my homework, it seems that
on Linux i3lock can work without them because of the unix_chkpwd(8) utility.
On the FreeBSD (which uses OpenPAM) however SUID is necessary [1]. The reason
why I couldn't get it work without root privileges was /etc/pam.d/login
file which is installed with u-r permission by default. I guess there's no
need to keep it that way since PAM configuration rather not contain any
secrets. I attached fixed version of the spec file and patch against
util-linux to set u+r permissions. Thanks for your suggestions!

[1] - 
https://cgit.freebsd.org/ports/tree/deskutils/i3lock/Makefile?id=924204922ac441410520f46695dd91a87c001ee9#n27

 Regards,
 Mateusz

>From 1e9086102e3c09827475a221ecba2745b519b2e6 Mon Sep 17 00:00:00 2001
From: Mateusz Kocielski <s...@digitalsun.pl>
Date: Tue, 11 Jul 2023 22:11:18 +0200
Subject: [PATCH] Add u+r for /etc/pam.d/ configuration files

---
 util-linux.spec | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/util-linux.spec b/util-linux.spec
index aeb33fa..e84b4f0 100644
--- a/util-linux.spec
+++ b/util-linux.spec
@@ -1344,10 +1344,10 @@ fi
 %attr(755,root,root) /bin/runuser
 %attr(755,root,root) /sbin/runuser
 %attr(4755,root,root) /bin/su
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/runuser
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/runuser-l
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/su
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/su-l
+%attr(644,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/runuser
+%attr(644,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/runuser-l
+%attr(644,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/su
+%attr(644,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/su-l
 %{_mandir}/man1/runuser.1*
 %{_mandir}/man1/su.1*
 %lang(cs) %{_mandir}/cs/man1/su.1*
@@ -2240,7 +2240,7 @@ fi
 
 %files -n login
 %defattr(644,root,root,755)
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/login
+%attr(644,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/login
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.login
 %attr(755,root,root) /bin/login
 %{_mandir}/man1/login.1*
-- 
2.41.0


Summary:        improved screen locker
Name:           i3lock
Version:        2.14.1
Release:        1
License:        BSD
Group:          Applications
Source0:        https://i3wm.org/i3lock/%{name}-%{version}.tar.xz
# Source0-md5:  33d4bc8256a1566fbac911e405e53fdd
URL:            https://i3wm.org/i3lock/
BuildRequires:  cairo-devel >= 1.14.4
BuildRequires:  libev-devel
BuildRequires:  libxcb-devel
BuildRequires:  meson >= 0.45.0
BuildRequires:  ninja
BuildRequires:  pam-devel
BuildRequires:  pkgconfig
BuildRequires:  rpmbuild(macros) >= 1.726
BuildRequires:  xcb-util-devel
BuildRequires:  xcb-util-image-devel
BuildRequires:  xcb-util-xrm-devel
BuildRequires:  xorg-lib-libxkbcommon-x11-devel
Requires:       cairo >= 1.14.4
BuildRoot:      %{tmpdir}/%{name}-%{version}-root-%(id -u -n)

%description
Minimalist screen locker based on slock.

%prep
%setup -q

%build
%meson build
%ninja_build -C build

%install
rm -rf $RPM_BUILD_ROOT
%ninja_install -C build

%clean
rm -rf $RPM_BUILD_ROOT

%files
%defattr(644,root,root,755)
%doc LICENSE CHANGELOG
%config(noreplace) %verify(not md5 mtime size) /etc/pam.d/i3lock
%attr(755,root,root) %{_bindir}/i3lock
%{_mandir}/man1/i3lock.1*

_______________________________________________
pld-devel-en mailing list
pld-devel-en@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en