From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.1 DKIM-Filter: OpenDKIM Filter v2.10.3 mail.rosalinux.ru 3A0BCD7842D58 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rosalinux.ru; s=A1AAD92A-9767-11E6-A27F-AC75C9F78EF4; t=1596288000; bh=u5iyekb1ksUCYiUawHW8aZ0Z+yb5lWxbpP+ttlq2UjQ=; h=To:From:Message-ID:Date:MIME-Version; b=ILDXHFylqdfDxC//EyJpPWXFqY81VaGazHxDeG6+8JcxhvPXVCJT4x/cpDivAmrgj btH6jGo4BmRRsU+ymiBuCjHEAUWb5niYABH5IOJ8s3otepa7NvYOd4dhbQ6pPqhVCW bhvKm4qLdEPkrlEmiBmxRJbiAM5R2LEbnHB4OpJbY2SLmmQeAnoQCBlpVHOp+Y4wNJ NVmUGuFSxReUaLxi6Dg8EjP7IylXtPvKDnqogQIRxpwl+ARdynCnuMQsqLLa07HLLV X0AgXC/ddKg7G7fe6zF9FgXoO3+cfJ6eWUqDlyUwLBLGh9G6AF6sSlo/xfvuGjgYnF 3PJSBJ/398XAA== X-Virus-Scanned: amavisd-new at rosalinux.ru To: kbd@lists.altlinux.org From: Mikhail Novosyolov Message-ID: <019c50c1-6190-700c-3c32-03b84973ee2b@rosalinux.ru> Date: Sat, 1 Aug 2020 16:19:59 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: ru-RU Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Sat, 01 Aug 2020 18:30:32 +0300 Subject: [kbd] [PATCH] vlock: allow sudo user to unlock his session X-BeenThere: kbd@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Linux console tools development discussion List-Id: Linux console tools development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Aug 2020 13:26:51 -0000 Archived-At: List-Archive: https://github.com/legionus/kbd/pull/45 If a non-root user ran sth like "sudo -i" and vlock'ed from inside it, then that user himself should be able to unlock his console. [user@HP-Elite-7300 tmp]$ echo $LOGNAME user [user@HP-Elite-7300 tmp]$ sudo -i root@HP-Elite-7300:~# echo $LOGNAME root root@HP-Elite-7300:~# echo $SUDO_USER user root@HP-Elite-7300:~# Tested on rosa2019.1 + kbd 2.2.0 + this patch: [root@rosa-2019 kbd]# su - user [user@rosa-2019 ~]$ sudo -i [sudo] password for user: [root@rosa-2019 ~]# vlock =D0=94=D0=B0=D0=BD=D0=BD=D0=BE=D0=B5 =D1=83=D1=81=D1=82=D1=80=D0=BE=D0=B9= =D1=81=D1=82=D0=B2=D0=BE tty (console) =D0=BD=D0=B5 =D1=8F=D0=B2=D0=BB=D1= =8F=D0=B5=D1=82=D1=81=D1=8F =D0=B2=D0=B8=D1=80=D1=82=D1=83=D0=B0=D0=BB=D1= =8C=D0=BD=D0=BE=D0=B9 =D0=BA=D0=BE=D0=BD=D1=81=D0=BE=D0=BB=D1=8C=D1=8E. =D0=91=D0=BB=D0=BE=D0=BA=D0=B8=D1=80=D0=BE=D0=B2=D0=BA=D0=B0 console =D1=83= =D1=81=D1=82=D0=B0=D0=BD=D0=BE=D0=B2=D0=BB=D0=B5=D0=BD=D0=B0 user. =D0=9F=D0=B0=D1=80=D0=BE=D0=BB=D1=8C: [root@rosa-2019 ~]# sudo root session was successfully unlocked with user's password. [root@rosa-2019 ~]# unset SUDO_USER [root@rosa-2019 ~]# vlock =D0=94=D0=B0=D0=BD=D0=BD=D0=BE=D0=B5 =D1=83=D1=81=D1=82=D1=80=D0=BE=D0=B9= =D1=81=D1=82=D0=B2=D0=BE tty (console) =D0=BD=D0=B5 =D1=8F=D0=B2=D0=BB=D1= =8F=D0=B5=D1=82=D1=81=D1=8F =D0=B2=D0=B8=D1=80=D1=82=D1=83=D0=B0=D0=BB=D1= =8C=D0=BD=D0=BE=D0=B9 =D0=BA=D0=BE=D0=BD=D1=81=D0=BE=D0=BB=D1=8C=D1=8E. =D0=91=D0=BB=D0=BE=D0=BA=D0=B8=D1=80=D0=BE=D0=B2=D0=BA=D0=B0 console =D1=83= =D1=81=D1=82=D0=B0=D0=BD=D0=BE=D0=B2=D0=BB=D0=B5=D0=BD=D0=B0 root. =D0=9F=D0=B0=D1=80=D0=BE=D0=BB=D1=8C: root password is requested without $SUDO_ENV. Another vlock implementation [1, 2] does not check that UIDs match, I do not see sense in this check, removing it to make what I want work. [1] Another vlock implementation: https://github.com/WorMzy/vlock [2] My similar patch for it: https://github.com/mikhailnov/vlock/commit/b= a38d5d563cdfaad3b2f260248b3434c235a7afd --- =C2=A0src/vlock/username.c | 17 +++++++++-------- =C2=A01 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/vlock/username.c b/src/vlock/username.c index a26a148..4c6d295 100644 --- a/src/vlock/username.c +++ b/src/vlock/username.c @@ -40,17 +40,18 @@ get_username(void) =C2=A0{ =C2=A0=C2=A0=C2=A0 =C2=A0const char *name; =C2=A0=C2=A0=C2=A0 =C2=A0struct passwd *pw =3D 0; +=C2=A0=C2=A0 =C2=A0char *logname =3D NULL; =C2=A0=C2=A0=C2=A0 =C2=A0uid_t uid=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 =3D getuid(); =C2=A0 -=C2=A0=C2=A0 =C2=A0char *logname =3D getenv("LOGNAME"); +=C2=A0=C2=A0 =C2=A0/* If a non-root runs a sudo session, ask for user's +=C2=A0=C2=A0 =C2=A0 * password to unlock it, not root's password */ +=C2=A0=C2=A0 =C2=A0logname =3D getenv("SUDO_USER"); +=C2=A0=C2=A0 =C2=A0if (logname =3D=3D NULL) +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0logname =3D getenv("LOGNAME"); =C2=A0 -=C2=A0=C2=A0 =C2=A0if (logname) { -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0pw =3D getpwnam(logname); -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0/* Ensure uid is same as current. = */ -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (pw && pw->pw_uid !=3D uid) -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0pw =3D 0; -=C2=A0=C2=A0 =C2=A0} -=C2=A0=C2=A0 =C2=A0if (!pw) +=C2=A0=C2=A0 =C2=A0pw =3D getpwnam(logname); + +=C2=A0=C2=A0 =C2=A0if (!pw && uid) =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0pw =3D getpwuid(uid); =C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (!pw) --=20 Please CC me when replying, I am not subscribed to kbd@lists.altlinux.org The same patch was submited as a pull request on Github: https://github.c= om/legionus/kbd/pull/45