From 42a34d66f5455bb0899f189a38539affbae0e212 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <[email protected]>
Date: Sat, 2 Jan 2016 20:56:50 -0800
Subject: [PATCH] allow root
Fix for: Bug 15155994 - SUNBT4849641 xscreensaver won't run as root
Let root lock the screen, but don't launch the hacks for root.
Rejected by upstream because upstream author argues instead that users should
not login as root, which is correct, but not something we can force all of
our customers to stop doing.
See http://www.jwz.org/xscreensaver/faq.html#root-lock for his side.
---
driver/demo-Gtk.c | 15 +++++++++++++++
driver/exec.c | 2 ++
driver/setuid.c | 12 ++++++++++++
driver/subprocs.c | 3 +++
driver/timers.c | 2 +-
driver/xscreensaver.c | 7 ++++---
6 files changed, 37 insertions(+), 4 deletions(-)
diff --git a/driver/demo-Gtk.c b/driver/demo-Gtk.c
index d62152c..f6f9c19 100644
--- a/driver/demo-Gtk.c
+++ b/driver/demo-Gtk.c
@@ -723,6 +723,14 @@ run_hack (state *s, int list_elt, Bool report_errors_p)
char *err = 0;
int status;
+ if (getuid () == 0)
+ {
+ char buf [255];
+ strlcpy (buf, _("Can not run hacks if logged in as root!"), sizeof(buf));
+ warning_dialog (s->toplevel_widget, buf, False, 100);
+ return;
+ }
+
if (list_elt < 0) return;
hack_number = s->list_elt_to_hack_number[list_elt];
@@ -5163,6 +5171,13 @@ main (int argc, char **argv)
(gpointer) s);
#endif /* !HAVE_GTK2 */
+ if (getuid () == 0)
+ {
+ /* If logged in as root disable menu so user can't activate a hack. */
+ gtk_widget_set_sensitive (GTK_WIDGET (name_to_widget (s, "mode_menu")),
+ False);
+ }
+ else
/* Hook up callbacks to the items on the mode menu. */
gtk_signal_connect (GTK_OBJECT (name_to_widget (s, "mode_menu")),
"changed", GTK_SIGNAL_FUNC (mode_menu_item_cb),
diff --git a/driver/exec.c b/driver/exec.c
index 38ca88a..b68089e 100644
--- a/driver/exec.c
+++ b/driver/exec.c
@@ -186,6 +186,7 @@ exec_command (const char *shell, const char *command, int nice_level)
hairy_p = !!strpbrk (command, "*?$&!<>[];`'\\\"=");
/* note: = is in the above because of the sh syntax "FOO=bar cmd". */
+#ifdef DONT_ALLOW_ROOT_LOGIN
if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
{
/* If you're thinking of commenting this out, think again.
@@ -196,6 +197,7 @@ exec_command (const char *shell, const char *command, int nice_level)
blurb());
exit (-1);
}
+#endif /*DONT_ALLOW_ROOT_LOGIN*/
if (hairy_p)
/* If it contains any shell metacharacters, do it the hard way,
diff --git a/driver/setuid.c b/driver/setuid.c
index a17194a..e3aa78d 100644
--- a/driver/setuid.c
+++ b/driver/setuid.c
@@ -121,6 +121,10 @@ set_ids_by_number (uid_t uid, gid_t gid, char **message_ret)
struct passwd *p = getpwuid (uid);
struct group *g = getgrgid (gid);
+ /* if we are logged in as root i.e. uid==0 then dont do anything*/
+ if (getuid () == (uid_t) 0)
+ return 0;
+
if (message_ret)
*message_ret = 0;
@@ -278,11 +282,13 @@ hack_uid (saver_info *si)
of the xscreensaver manual titled "LOCKING AND ROOT LOGINS",
and "USING XDM".
*/
+#ifdef DONT_ALLOW_ROOT_LOGIN
if (getuid() == (uid_t) 0)
{
si->locking_disabled_p = True;
si->nolock_reason = "running as root";
}
+#endif /*DONT_ALLOW_ROOT_LOGIN*/
/* If we're running as root, switch to a safer user. This is above and
@@ -297,6 +303,8 @@ hack_uid (saver_info *si)
of the xscreensaver manual titled "LOCKING AND ROOT LOGINS",
and "USING XDM".
*/
+/* We are letting root login to fix a P1 bug, i.e. root should lock screen*/
+#ifdef DONT_ALLOW_ROOT_LOGIN
if (getuid() == (uid_t) 0)
{
struct passwd *p;
@@ -315,6 +323,7 @@ hack_uid (saver_info *si)
if (set_ids_by_number (p->pw_uid, p->pw_gid, &si->uid_message) != 0)
saver_exit (si, -1, 0);
}
+#endif /*DONT_ALLOW_ROOT_LOGIN*/
/* If there's anything even remotely funny looking about the passwd struct,
@@ -357,7 +366,10 @@ hack_uid (saver_info *si)
(p && p->pw_name && *p->pw_name
? p->pw_name : "<unknown>"));
si->nolock_reason = buf;
+
+#ifdef DONT_ALLOW_ROOT_LOGIN
si->locking_disabled_p = True;
+#endif
si->dangerous_uid_p = True;
}
}
diff --git a/driver/subprocs.c b/driver/subprocs.c
index a244f36..c975813 100644
--- a/driver/subprocs.c
+++ b/driver/subprocs.c
@@ -947,6 +947,9 @@ spawn_screenhack (saver_screen_info *ssi)
saver_preferences *p = &si->prefs;
char* complete_hack_command;
+ if (getuid () == 0)
+ return; /* Dont let hacks run if logged in as root*/
+
if (si->prefs.verbose_p)
fprintf(stderr, "--> spawn_screenhack()\n");
diff --git a/driver/timers.c b/driver/timers.c
index 9afc752..32728a0 100644
--- a/driver/timers.c
+++ b/driver/timers.c
@@ -284,7 +284,7 @@ cycle_timer (XtPointer closure, XtIntervalId *id)
raise_window (si, True, True, False);
- if (!si->throttled_p)
+ if (!si->throttled_p && getuid () != 0)
for (i = 0; i < si->nscreens; i++)
spawn_screenhack (&si->screens[i]);
else
diff --git a/driver/xscreensaver.c b/driver/xscreensaver.c
index 33d357a..f357281 100644
--- a/driver/xscreensaver.c
+++ b/driver/xscreensaver.c
@@ -487,6 +487,7 @@ startup_ehandler (String name, String type, String class,
describe_uids (si, stderr);
+#ifdef DONT_ALLOW_ROOT_LOGIN
if (si->orig_uid && !strncmp (si->orig_uid, "root/", 5))
{
fprintf (stderr, "\n"
@@ -500,11 +501,11 @@ startup_ehandler (String name, String type, String class,
blurb());
}
else
+#endif /*DONT_ALLOW_ROOT_LOGIN*/
{
fprintf (stderr, "\n"
"%s: Errors at startup are usually authorization problems.\n"
-" But you're not logging in as root (good!) so something\n"
-" else must be wrong. Did you read the manual and the FAQ?\n",
+" Did you read the manual and the FAQ?\n",
blurb());
}
@@ -1338,7 +1339,7 @@ main_loop (saver_info *si)
kill_screenhack (&si->screens[i]);
raise_window (si, True, True, False);
- if (si->throttled_p)
+ if (si->throttled_p || getuid () == 0)
fprintf (stderr, "%s: not launching hack (throttled.)\n", blurb());
else
for (i = 0; i < si->nscreens; i++)
--
2.7.4