summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'kde-plasma/kwallet-pam')
-rw-r--r--kde-plasma/kwallet-pam/Manifest1
-rw-r--r--kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-check-graphical.patch87
-rw-r--r--kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-cleanups.patch173
-rw-r--r--kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-privileges.patch49
-rw-r--r--kde-plasma/kwallet-pam/kwallet-pam-5.10.5-r1.ebuild59
5 files changed, 0 insertions, 369 deletions
diff --git a/kde-plasma/kwallet-pam/Manifest b/kde-plasma/kwallet-pam/Manifest
index 3ee923606b27..d02db1dfec97 100644
--- a/kde-plasma/kwallet-pam/Manifest
+++ b/kde-plasma/kwallet-pam/Manifest
@@ -1,2 +1 @@
-DIST kwallet-pam-5.10.5.tar.xz 17908 BLAKE2B dc1a49c25b8d87dc51cc4940016f1ca84964e237126f33e18f71e58ebdce92a00e37d7e0cdcd1abdf25c70a6af423bc571d29a68ec45233b28b100ea68d86051 SHA512 7a2e1a0a85ffc7d9dfd6a1dc8a16d7117f30fc3b983756e28fc11a19bddf99a273842a1774ccf93c5c879a1d899212f6b6d0808fa14eb17260396f5c207e3dc5
DIST kwallet-pam-5.11.5.tar.xz 19060 BLAKE2B 814199f67c9026ca420c66d0dbe48ef9f1cab2d30bf3784cb3441af56ceec9ab3841dcf41021bbc5d42edffc0fc0849b714c1f279065c974bba794924fc0879c SHA512 1602ef0eeec86c653c2a99c1c514133367e7dee07d11ffbe0533066d895c71e3b7dd90187cb353446b717738600143cd09de1a5baffad5113152fd616bef90ee
diff --git a/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-check-graphical.patch b/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-check-graphical.patch
deleted file mode 100644
index 61ea4604586f..000000000000
--- a/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-check-graphical.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From f3b230f7f3bf39dc46b97a216aa7c28595d20a7a Mon Sep 17 00:00:00 2001
-From: Fabian Vogt <fabian@ritter-vogt.de>
-Date: Thu, 3 Aug 2017 09:50:30 +0200
-Subject: Check for a graphical session
-
-Summary:
-Avoid running if it detects a text session. This can be overridden by adding
-"force_run" as argument.
-
-Test Plan:
-Put pam_kwallet5.so as optional in a global common-session pam file
-that is included by all other services. It is not invoked when logging in from
-a tty with getty, sudo or su and still works when using SDDM. When adding
-force_run it runs in all cases.
-
-Reviewers: #plasma
-
-Subscribers: plasma-devel
-
-Tags: #plasma
-
-Differential Revision: https://phabricator.kde.org/D7125
----
- pam_kwallet.c | 26 ++++++++++++++++++++++++++
- 1 file changed, 26 insertions(+)
-
-diff --git a/pam_kwallet.c b/pam_kwallet.c
-index cba57e7..46720a5 100644
---- a/pam_kwallet.c
-+++ b/pam_kwallet.c
-@@ -72,6 +72,7 @@ const static char *kwalletd = NULL;
- const static char *socketPath = NULL;
- const static char *kwalletPamDataKey = NULL;
- const static char *logPrefix = NULL;
-+static int force_run = 0;
-
- #ifdef KWALLET5
- const static char *envVar = "PAM_KWALLET5_LOGIN";
-@@ -98,6 +99,8 @@ static void parseArguments(int argc, const char **argv)
- kwalletd = argv[x] + 9;
- } else if (strstr(argv[x], "socketPath=") != NULL) {
- socketPath= argv[x] + 11;
-+ } else if (strcmp(argv[x], "force_run") == 0) {
-+ force_run = 1;
- }
- }
- #ifdef KWALLET5
-@@ -246,6 +249,24 @@ static void cleanup_free(pam_handle_t *pamh, void *ptr, int error_status)
- free(ptr);
- }
-
-+static int is_graphical_session(pam_handle_t *pamh)
-+{
-+ //Detect a graphical session
-+ const char *pam_tty = NULL, *pam_xdisplay = NULL,
-+ *xdg_session_type = NULL, *display = NULL;
-+
-+ pam_get_item(pamh, PAM_TTY, (const void**) &pam_tty);
-+#ifdef PAM_XDISPLAY
-+ pam_get_item(pamh, PAM_XDISPLAY, (const void**) &pam_xdisplay);
-+#endif
-+ xdg_session_type = get_env(pamh, "XDG_SESSION_TYPE");
-+
-+ return (pam_xdisplay && strlen(pam_xdisplay) != 0)
-+ || (pam_tty && pam_tty[0] == ':')
-+ || (xdg_session_type && strcmp(xdg_session_type, "x11") == 0)
-+ || (xdg_session_type && strcmp(xdg_session_type, "wayland") == 0);
-+}
-+
- PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
- {
- pam_syslog(pamh, LOG_INFO, "%s: pam_sm_authenticate\n", logPrefix);
-@@ -537,6 +558,11 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
-
- parseArguments(argc, argv);
-
-+ if (!force_run && !is_graphical_session(pamh)) {
-+ pam_syslog(pamh, LOG_INFO, "%s: not a graphical session, skipping. Use force_run parameter to ignore this.", logPrefix);
-+ return PAM_IGNORE;
-+ }
-+
- int result;
- result = pam_set_data(pamh, "sm_open_session", "1", NULL);
- if (result != PAM_SUCCESS) {
---
-cgit v0.11.2
-
diff --git a/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-cleanups.patch b/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-cleanups.patch
deleted file mode 100644
index 38a333131e93..000000000000
--- a/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-cleanups.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From a33ec22b96e837899528b05963eae8ea6b01171a Mon Sep 17 00:00:00 2001
-From: Fabian Vogt <fabian@ritter-vogt.de>
-Date: Thu, 3 Aug 2017 09:02:14 +0200
-Subject: Several cleanups
-
-Summary:
-- No cppcheck warnings anymore
-- Use snprintf everywhere
-- Avoid pointless multiplication with sizeof(char)
-- Avoid memory leaks
-
-Test Plan: Still builds, works the same as before.
-
-Reviewers: #plasma
-
-Subscribers: plasma-devel
-
-Tags: #plasma
-
-Differential Revision: https://phabricator.kde.org/D7123
----
- pam_kwallet.c | 44 ++++++++++++++++++++++++++++++++------------
- 1 file changed, 32 insertions(+), 12 deletions(-)
-
-diff --git a/pam_kwallet.c b/pam_kwallet.c
-index d88c5e0..cba57e7 100644
---- a/pam_kwallet.c
-+++ b/pam_kwallet.c
-@@ -151,13 +151,14 @@ static int set_env(pam_handle_t *pamh, const char *name, const char *value)
- //We do not return because pam_putenv might work
- }
-
-- char *pamEnv = malloc(strlen(name) + strlen(value) + 2); //2 is for = and \0
-+ size_t pamEnvSize = strlen(name) + strlen(value) + 2; //2 is for = and \0
-+ char *pamEnv = malloc(pamEnvSize);
- if (!pamEnv) {
- pam_syslog(pamh, LOG_WARNING, "%s: Impossible to allocate memory for pamEnv", logPrefix);
- return -1;
- }
-
-- sprintf (pamEnv, "%s=%s", name, value);
-+ snprintf (pamEnv, pamEnvSize, "%s=%s", name, value);
- int ret = pam_putenv(pamh, pamEnv);
- free(pamEnv);
-
-@@ -240,6 +241,11 @@ cleanup:
- return result;
- }
-
-+static void cleanup_free(pam_handle_t *pamh, void *ptr, int error_status)
-+{
-+ free(ptr);
-+}
-+
- PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
- {
- pam_syslog(pamh, LOG_INFO, "%s: pam_sm_authenticate\n", logPrefix);
-@@ -297,14 +303,17 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
- return PAM_IGNORE;
- }
-
-- char *key = malloc(sizeof(char) * KWALLET_PAM_KEYSIZE);
-- if (kwallet_hash(password, userInfo, key) != 0) {
-+ char *key = malloc(KWALLET_PAM_KEYSIZE);
-+ if (!key || kwallet_hash(password, userInfo, key) != 0) {
-+ free(key);
- pam_syslog(pamh, LOG_ERR, "%s: Fail into creating the hash", logPrefix);
- return PAM_IGNORE;
- }
-
-- result = pam_set_data(pamh, kwalletPamDataKey, key, NULL);
-+ result = pam_set_data(pamh, kwalletPamDataKey, key, cleanup_free);
-+
- if (result != PAM_SUCCESS) {
-+ free(key);
- pam_syslog(pamh, LOG_ERR, "%s: Impossible to store the hashed password: %s", logPrefix
- , pam_strerror(pamh, result));
- return PAM_IGNORE;
-@@ -385,9 +394,8 @@ cleanup:
- static int better_write(int fd, const char *buffer, int len)
- {
- size_t writtenBytes = 0;
-- int result;
- while(writtenBytes < len) {
-- result = write(fd, buffer + writtenBytes, len - writtenBytes);
-+ int result = write(fd, buffer + writtenBytes, len - writtenBytes);
- if (result < 0) {
- if (errno != EAGAIN && errno != EINTR) {
- return -1;
-@@ -450,6 +458,7 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
- if (result != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_ERR, "%s: Impossible to set %s env, %s",
- logPrefix, envVar, pam_strerror(pamh, result));
-+ free(fullSocket);
- return;
- }
-
-@@ -459,12 +468,15 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
- if (strlen(fullSocket) > sizeof(local.sun_path)) {
- pam_syslog(pamh, LOG_ERR, "%s: socket path %s too long to open",
- logPrefix, fullSocket);
-+ free(fullSocket);
- return;
- }
- strcpy(local.sun_path, fullSocket);
-+ free(fullSocket);
-+ fullSocket = NULL;
- unlink(local.sun_path);//Just in case it exists from a previous login
-
-- pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, fullSocket);
-+ pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, local.sun_path);
-
- size_t len = strlen(local.sun_path) + sizeof(local.sun_family);
- if (bind(envSocket, (struct sockaddr *)&local, len) == -1) {
-@@ -477,7 +489,7 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha
- return;
- }
-
-- if (chown(fullSocket, userInfo->pw_uid, userInfo->pw_gid) == -1) {
-+ if (chown(local.sun_path, userInfo->pw_uid, userInfo->pw_gid) == -1) {
- pam_syslog(pamh, LOG_INFO, "%s: Couldn't change ownership of the socket", logPrefix);
- return;
- }
-@@ -655,7 +667,8 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key)
- #else
- char *fixpath = "share/apps/kwallet/kdewallet.salt";
- #endif
-- char *path = (char*) malloc(strlen(userInfo->pw_dir) + strlen(kdehome) + strlen(fixpath) + 3);//3 == / and \0
-+ size_t pathSize = strlen(userInfo->pw_dir) + strlen(kdehome) + strlen(fixpath) + 3;//3 == /, / and \0
-+ char *path = (char*) malloc(pathSize);
- sprintf(path, "%s/%s/%s", userInfo->pw_dir, kdehome, fixpath);
-
- struct stat info;
-@@ -666,21 +679,26 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key)
- FILE *fd = fopen(path, "r");
- if (fd == NULL) {
- syslog(LOG_ERR, "%s: Couldn't open file: %s because: %d-%s", logPrefix, path, errno, strerror(errno));
-+ free(path);
- return 1;
- }
-- salt = (char*) malloc(sizeof(char) * KWALLET_PAM_SALTSIZE);
-+ salt = (char*) malloc(KWALLET_PAM_SALTSIZE);
- memset(salt, '\0', KWALLET_PAM_SALTSIZE);
- fread(salt, KWALLET_PAM_SALTSIZE, 1, fd);
- fclose(fd);
- }
-+ free(path);
-+
- if (salt == NULL) {
- syslog(LOG_ERR, "%s-kwalletd: Couldn't create or read the salt file", logPrefix);
- return 1;
- }
-
- gcry_error_t error;
-+
- error = gcry_control(GCRYCTL_INIT_SECMEM, 32768, 0);
- if (error != 0) {
-+ free(salt);
- syslog(LOG_ERR, "%s-kwalletd: Can't get secure memory: %d", logPrefix, error);
- return 1;
- }
-@@ -691,5 +709,7 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key)
- GCRY_KDF_PBKDF2, GCRY_MD_SHA512,
- salt, KWALLET_PAM_SALTSIZE,
- KWALLET_PAM_ITERATIONS,KWALLET_PAM_KEYSIZE, key);
-- return 0;
-+
-+ free(salt);
-+ return (int) error; // gcry_kdf_derive returns 0 on success
- }
---
-cgit v0.11.2
-
diff --git a/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-privileges.patch b/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-privileges.patch
deleted file mode 100644
index 8b45b293bbf9..000000000000
--- a/kde-plasma/kwallet-pam/files/kwallet-pam-5.10.5-privileges.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 1a01e1eb870e1ab1d96a8641f1f3500af646c974 Mon Sep 17 00:00:00 2001
-From: Fabian Vogt <fabian@ritter-vogt.de>
-Date: Thu, 3 Aug 2017 09:27:10 +0200
-Subject: Avoid dropping privileges by initializing gcrypt secmem
-
-Summary:
-It's a documented side effect that initialization of secure memory in gcrypt
-drops privileges if getuid() != geteuid(). This results in breaking setuid
-callers, like sudo or su.
-
-Test Plan: Can use sudo again when pam_kwallet is involved.
-
-Reviewers: #plasma
-
-Subscribers: plasma-devel
-
-Tags: #plasma
-
-Differential Revision: https://phabricator.kde.org/D7124
----
- pam_kwallet.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/pam_kwallet.c b/pam_kwallet.c
-index 46720a5..20d9603 100644
---- a/pam_kwallet.c
-+++ b/pam_kwallet.c
-@@ -722,12 +722,18 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key)
-
- gcry_error_t error;
-
-+ /* We cannot call GCRYCTL_INIT_SECMEM as it drops privileges if getuid() != geteuid().
-+ * PAM modules are in many cases executed through setuid binaries, which this call
-+ * would break.
-+ * It was never effective anyway as neither key nor passphrase are in secure memory,
-+ * which is a prerequisite for secure operation...
- error = gcry_control(GCRYCTL_INIT_SECMEM, 32768, 0);
- if (error != 0) {
- free(salt);
- syslog(LOG_ERR, "%s-kwalletd: Can't get secure memory: %d", logPrefix, error);
- return 1;
- }
-+ */
-
- gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
-
---
-cgit v0.11.2
-
diff --git a/kde-plasma/kwallet-pam/kwallet-pam-5.10.5-r1.ebuild b/kde-plasma/kwallet-pam/kwallet-pam-5.10.5-r1.ebuild
deleted file mode 100644
index a92f06b64222..000000000000
--- a/kde-plasma/kwallet-pam/kwallet-pam-5.10.5-r1.ebuild
+++ /dev/null
@@ -1,59 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit kde5
-
-DESCRIPTION="KWallet PAM module to not enter password again"
-LICENSE="LGPL-2.1"
-KEYWORDS="amd64 ~arm x86"
-IUSE=""
-
-DEPEND="
- dev-libs/libgcrypt:0=
- virtual/pam
-"
-RDEPEND="${DEPEND}
- net-misc/socat
-"
-
-PATCHES=(
- "${FILESDIR}/${P}-cleanups.patch"
- "${FILESDIR}/${P}-check-graphical.patch"
- "${FILESDIR}/${P}-privileges.patch"
-)
-
-src_configure() {
- local mycmakeargs=(
- -DCMAKE_INSTALL_LIBDIR="/$(get_libdir)"
- -DKWALLET4=0
- )
- kde5_src_configure
-}
-
-pkg_postinst() {
- check_dm() {
- if [[ -e "${ROOT}${2}" ]] ; then
- if grep -Eq "auth\s+optional\s+pam_kwallet5.so" "${ROOT}${2}" && \
- grep -Eq "session\s+optional\s+pam_kwallet5.so" "${ROOT}${2}" ; then
- elog " ${1} - ${2} ...GOOD"
- else
- ewarn " ${1} - ${2} ...BAD"
- fi
- fi
- }
- elog "This package enables auto-unlocking of kde-frameworks/kwallet:5."
- elog "List of things to make it work:"
- elog "1. Use standard blowfish encryption instead of GPG"
- elog "2. Use same password for login and kwallet"
- elog "3. A display manager with support for PAM"
- elog "4.a Have the following lines in the display manager's pam.d file:"
- elog " -auth optional pam_kwallet5.so"
- elog " -session optional pam_kwallet5.so auto_start"
- elog "4.b Checking installed DMs..."
- has_version "x11-misc/sddm" && check_dm "SDDM" "/etc/pam.d/sddm"
- has_version "x11-misc/lightdm" && check_dm "LightDM" "/etc/pam.d/lightdm"
- elog
- elog "See also: https://wiki.gentoo.org/wiki/KDE#KWallet_auto-unlocking"
-}