Fix for: Bug 15155994 - SUNBT4849641 xscreensaver won't run as root
Let root lock the screen, but don't launch the hacks for root.
Rejected by upstream because upstream author argues instead that users should
not login as root, which is correct, but not something we can force all of
our customers to stop doing.
See http://www.jwz.org/xscreensaver/faq.html#root-lock for his side.
---
driver/demo-Gtk.c | 26 ++++++++++++++++++++++++++
driver/exec.c | 2 ++
driver/setuid.c | 12 ++++++++++++
driver/subprocs.c | 3 +++
driver/timers.c | 2 +-
driver/xscreensaver.c | 7 ++++---
6 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/driver/demo-Gtk.c b/driver/demo-Gtk.c
--- a/driver/demo-Gtk.c
+++ b/driver/demo-Gtk.c
@@ -687,6 +687,14 @@ run_cmd (state *s, Atom command, int arg)
char *err = 0;
int status;
+ if (getuid () == 0)
+ {
+ char buf [255];
+ strlcpy (buf, _("Can not run hacks if logged in as root!"), sizeof(buf));
+ warning_dialog (s->toplevel_widget, buf, False, 100);
+ return;
+ }
+
flush_dialog_changes_and_save (s);
status = xscreensaver_command (GDK_DISPLAY(), command, arg, False, &err);
@@ -717,6 +725,14 @@ run_hack (state *s, int list_elt, Bool report_errors_p)
char *err = 0;
int status;
+ if (getuid () == 0)
+ {
+ char buf [255];
+ strlcpy (buf, _("Can not run hacks if logged in as root!"), sizeof(buf));
+ warning_dialog (s->toplevel_widget, buf, False, 100);
+ return;
+ }
+
if (list_elt < 0) return;
hack_number = s->list_elt_to_hack_number[list_elt];
@@ -5155,6 +5171,15 @@ main (int argc, char **argv)
GtkMenu *menu = GTK_MENU (gtk_option_menu_get_menu (opt));
GList *kids = gtk_container_children (GTK_CONTAINER (menu));
int i;
+
+ if (getuid () == 0)
+ {
+ /* If logged in as root disable menu so user can't activate a hack. */
+ gtk_widget_set_sensitive (GTK_WIDGET (opt), False);
+ gtk_widget_set_sensitive (GTK_WIDGET (menu), False);
+ }
+ else
+ {
for (i = 0; kids; kids = kids->next, i++)
{
gtk_signal_connect (GTK_OBJECT (kids->data), "activate",
@@ -5168,6 +5193,7 @@ main (int argc, char **argv)
mode_menu_order[i] == RANDOM_HACKS_SAME)
gtk_widget_hide (GTK_WIDGET (kids->data));
}
+ }
if (s->nscreens <= 1) /* recompute option-menu size */
{
diff --git a/driver/exec.c b/driver/exec.c
--- a/driver/exec.c
+++ b/driver/exec.c
@@ -186,6 +186,7 @@ exec_command (const char *shell, const char *command, int nice_level)
hairy_p = !!strpbrk (command, "*?$&!<>[];`'\\\"=");
/* note: = is in the above because of the sh syntax "FOO=bar cmd". */
+#ifdef DONT_ALLOW_ROOT_LOGIN
if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
{
/* If you're thinking of commenting this out, think again.
@@ -196,6 +197,7 @@ exec_command (const char *shell, const char *command, int nice_level)
blurb());
exit (-1);
}
+#endif /*DONT_ALLOW_ROOT_LOGIN*/
if (hairy_p)
/* If it contains any shell metacharacters, do it the hard way,
diff --git a/driver/setuid.c b/driver/setuid.c
--- a/driver/setuid.c
+++ b/driver/setuid.c
@@ -121,6 +121,10 @@ set_ids_by_number (uid_t uid, gid_t gid, char **message_ret)
struct passwd *p = getpwuid (uid);
struct group *g = getgrgid (gid);
+ /* if we are logged in as root i.e. uid==0 then dont do anything*/
+ if (getuid () == (uid_t) 0)
+ return 0;
+
if (message_ret)
*message_ret = 0;
@@ -278,11 +282,13 @@ hack_uid (saver_info *si)
of the xscreensaver manual titled "LOCKING AND ROOT LOGINS",
and "USING XDM".
*/
+#ifdef DONT_ALLOW_ROOT_LOGIN
if (getuid() == (uid_t) 0)
{
si->locking_disabled_p = True;
si->nolock_reason = "running as root";
}
+#endif /*DONT_ALLOW_ROOT_LOGIN*/
/* If we're running as root, switch to a safer user. This is above and
@@ -297,6 +303,8 @@ hack_uid (saver_info *si)
of the xscreensaver manual titled "LOCKING AND ROOT LOGINS",
and "USING XDM".
*/
+/* We are letting root login to fix a P1 bug, i.e. root should lock screen*/
+#ifdef DONT_ALLOW_ROOT_LOGIN
if (getuid() == (uid_t) 0)
{
struct passwd *p;
@@ -315,6 +323,7 @@ hack_uid (saver_info *si)
if (set_ids_by_number (p->pw_uid, p->pw_gid, &si->uid_message) != 0)
saver_exit (si, -1, 0);
}
+#endif /*DONT_ALLOW_ROOT_LOGIN*/
/* If there's anything even remotely funny looking about the passwd struct,
@@ -357,7 +366,10 @@ hack_uid (saver_info *si)
(p && p->pw_name && *p->pw_name
? p->pw_name : "<unknown>"));
si->nolock_reason = buf;
+
+#ifdef DONT_ALLOW_ROOT_LOGIN
si->locking_disabled_p = True;
+#endif
si->dangerous_uid_p = True;
}
}
diff --git a/driver/subprocs.c b/driver/subprocs.c
--- a/driver/subprocs.c
+++ b/driver/subprocs.c
@@ -939,6 +939,9 @@ spawn_screenhack (saver_screen_info *ssi)
saver_preferences *p = &si->prefs;
char* complete_hack_command;
+ if (getuid () == 0)
+ return; /* Dont let hacks run if logged in as root*/
+
if (si->prefs.verbose_p)
fprintf(stderr, "--> spawn_screenhack()\n");
diff --git a/driver/timers.c b/driver/timers.c
--- a/driver/timers.c
+++ b/driver/timers.c
@@ -282,7 +282,7 @@ cycle_timer (XtPointer closure, XtIntervalId *id)
raise_window (si, True, True, False);
- if (!si->throttled_p)
+ if (!si->throttled_p && getuid () != 0)
for (i = 0; i < si->nscreens; i++)
spawn_screenhack (&si->screens[i]);
else
diff --git a/driver/xscreensaver.c b/driver/xscreensaver.c
--- a/driver/xscreensaver.c
+++ b/driver/xscreensaver.c
@@ -458,6 +458,7 @@ startup_ehandler (String name, String type, String class,
describe_uids (si, stderr);
+#ifdef DONT_ALLOW_ROOT_LOGIN
if (si->orig_uid && !strncmp (si->orig_uid, "root/", 5))
{
fprintf (stderr, "\n"
@@ -471,11 +472,11 @@ startup_ehandler (String name, String type, String class,
blurb());
}
else
+#endif /*DONT_ALLOW_ROOT_LOGIN*/
{
fprintf (stderr, "\n"
"%s: Errors at startup are usually authorization problems.\n"
-" But you're not logging in as root (good!) so something\n"
-" else must be wrong. Did you read the manual and the FAQ?\n",
+" Did you read the manual and the FAQ?\n",
blurb());
}
@@ -1269,7 +1270,7 @@ main_loop (saver_info *si)
kill_screenhack (&si->screens[i]);
raise_window (si, True, True, False);
- if (si->throttled_p)
+ if (si->throttled_p || getuid () == 0)
fprintf (stderr, "%s: not launching hack (throttled.)\n", blurb());
else
for (i = 0; i < si->nscreens; i++)