From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru> To: kbd@lists.altlinux.org Subject: [kbd] [PATCH] vlock: allow sudo user to unlock his session Date: Sat, 1 Aug 2020 16:19:59 +0300 Message-ID: <019c50c1-6190-700c-3c32-03b84973ee2b@rosalinux.ru> (raw) https://github.com/legionus/kbd/pull/45 If a non-root user ran sth like "sudo -i" and vlock'ed from inside it, then that user himself should be able to unlock his console. [user@HP-Elite-7300 tmp]$ echo $LOGNAME user [user@HP-Elite-7300 tmp]$ sudo -i root@HP-Elite-7300:~# echo $LOGNAME root root@HP-Elite-7300:~# echo $SUDO_USER user root@HP-Elite-7300:~# Tested on rosa2019.1 + kbd 2.2.0 + this patch: [root@rosa-2019 kbd]# su - user [user@rosa-2019 ~]$ sudo -i [sudo] password for user: [root@rosa-2019 ~]# vlock Данное устройство tty (console) не является виртуальной консолью. Блокировка console установлена user. Пароль: [root@rosa-2019 ~]# sudo root session was successfully unlocked with user's password. [root@rosa-2019 ~]# unset SUDO_USER [root@rosa-2019 ~]# vlock Данное устройство tty (console) не является виртуальной консолью. Блокировка console установлена root. Пароль: root password is requested without $SUDO_ENV. Another vlock implementation [1, 2] does not check that UIDs match, I do not see sense in this check, removing it to make what I want work. [1] Another vlock implementation: https://github.com/WorMzy/vlock [2] My similar patch for it: https://github.com/mikhailnov/vlock/commit/ba38d5d563cdfaad3b2f260248b3434c235a7afd --- src/vlock/username.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/vlock/username.c b/src/vlock/username.c index a26a148..4c6d295 100644 --- a/src/vlock/username.c +++ b/src/vlock/username.c @@ -40,17 +40,18 @@ get_username(void) { const char *name; struct passwd *pw = 0; + char *logname = NULL; uid_t uid = getuid(); - char *logname = getenv("LOGNAME"); + /* If a non-root runs a sudo session, ask for user's + * password to unlock it, not root's password */ + logname = getenv("SUDO_USER"); + if (logname == NULL) + logname = getenv("LOGNAME"); - if (logname) { - pw = getpwnam(logname); - /* Ensure uid is same as current. */ - if (pw && pw->pw_uid != uid) - pw = 0; - } - if (!pw) + pw = getpwnam(logname); + + if (!pw && uid) pw = getpwuid(uid); if (!pw) -- Please CC me when replying, I am not subscribed to kbd@lists.altlinux.org The same patch was submited as a pull request on Github: https://github.com/legionus/kbd/pull/45
next reply other threads:[~2020-08-01 13:19 UTC|newest] Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-08-01 13:19 Mikhail Novosyolov [this message] 2020-08-09 16:08 ` Alexey Gladkov 2020-08-09 20:50 ` Mikhail Novosyolov 2020-08-10 11:16 ` Alexey Gladkov 2020-08-23 17:47 ` Михаил Новоселов
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=019c50c1-6190-700c-3c32-03b84973ee2b@rosalinux.ru \ --to=m.novosyolov@rosalinux.ru \ --cc=kbd@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux console tools development discussion This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/kbd/0 kbd/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 kbd kbd/ http://lore.altlinux.org/kbd \ kbd@lists.altlinux.org kbd@lists.altlinux.ru kbd@lists.altlinux.com public-inbox-index kbd Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.kbd AGPL code for this site: git clone https://public-inbox.org/public-inbox.git