[bug#57881] [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.

[bug#57881] [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.

[路辉]

[-- Attachment #1: Type: text/plain, Size: 338 bytes --]

hikari-unlocker need setuid and pam to work.

if hikari exec a non-setuid hikari-unlocker, such as
"$HOME/.guix-profile/bin/hikari-unlocker", it will cause hikari's
lock-mode can't exit, only can press power button to exit it. :(

https://hikari.acmelabs.space/manpage.html

https://hub.darcs.net/raichoo/hikari/browse/src/lock_mode.c#71

[-- Attachment #2: 0001-gnu-hikari-only-allow-use-setuid-hikari-unlocker.patch --]
[-- Type: text/x-patch, Size: 1963 bytes --]

From d1bedbc3c850cf0a60b182999c229079bad9cd99 Mon Sep 17 00:00:00 2001
From: Lu Hui <luhux76@gmail.com>
Date: Sat, 17 Sep 2022 20:10:34 +0800
Subject: [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.

* gnu/packages/wm.scm (hikari)
[phases]{force-use-setuid-unlocker}: replace "sh -c hikari-unlocker" to
"/run/setuid-programs/hikari-unlocker"
---
 gnu/packages/wm.scm | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/wm.scm b/gnu/packages/wm.scm
index f329020eb4..d0586efb63 100644
--- a/gnu/packages/wm.scm
+++ b/gnu/packages/wm.scm
@@ -57,6 +57,7 @@
 ;;; Copyright © 2022 muradm <mail@muradm.net>
 ;;; Copyright © 2022 Elais Player <elais@fastmail.com>
 ;;; Copyright © 2022 Trevor Richards <trev@trevdev.ca>
+;;; Copyright © 2022 LuHui <luhux76@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -2632,6 +2633,11 @@ (define-public hikari
         "WITH_VIRTUAL_INPUT=YES")
        #:phases
        (modify-phases %standard-phases
+         (add-after 'unpack 'force-use-setuid-unlocker
+           (lambda _
+             (substitute* "src/lock_mode.c"
+               (("\"/bin/sh\", \"/bin/sh\", \"-c\", \"hikari-unlocker\"")
+                "\"/run/setuid-programs/hikari-unlocker\""))))
          (delete 'configure)
          (replace 'build
            (lambda* (#:key inputs outputs make-flags #:allow-other-keys)
@@ -2643,7 +2649,11 @@ (define-public hikari
     (synopsis "Stacking Wayland compositor with tiling capabilities")
     (description
      "Hikari is a stacking Wayland compositor with additional tiling
-capabilities.  It is heavily inspired by the Calm Window manager(cwm).")
+capabilities.  It is heavily inspired by the Calm Window manager(cwm).
+
+You need add following line to your system configuration to make unlocker working:
+
+    (screen-locker-service-type hikari \"hikari-unlocker\")")
     (license license:bsd-2)))
 
 (define-public devour
-- 
2.37.3

[bug#57881] [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.

[Josselin Poiret via Guix-patches via]

Hi,

路辉 <luhux76@gmail.com> writes:

> hikari-unlocker need setuid and pam to work.
>
> if hikari exec a non-setuid hikari-unlocker, such as
> "$HOME/.guix-profile/bin/hikari-unlocker", it will cause hikari's
> lock-mode can't exit, only can press power button to exit it. :(
>
> https://hikari.acmelabs.space/manpage.html
>
> https://hub.darcs.net/raichoo/hikari/browse/src/lock_mode.c#71
> From d1bedbc3c850cf0a60b182999c229079bad9cd99 Mon Sep 17 00:00:00 2001
> From: Lu Hui <luhux76@gmail.com>
> Date: Sat, 17 Sep 2022 20:10:34 +0800
> Subject: [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.
>
> * gnu/packages/wm.scm (hikari)
> [phases]{force-use-setuid-unlocker}: replace "sh -c hikari-unlocker" to
> "/run/setuid-programs/hikari-unlocker"

On Guix system, /run/setuid-programs/ should be in front of whatever
profiles you're using in your PATH, otherwise it will be shadowed by
them.  With the default profile loading code in /etc/profile, this
should be what happens but there might be issues with any non-default
setup (ie. package not installed in the ~/.guix-profile/).

To be honest, I'm not happy with hardcoding
/run/setuid-programs/hikari-unlocker, since it won't work on foreign
distros.

Shouldn't we rather report this issue upstream?  I'm under the
impression that the locker should detect that it isn't running suid and
not try to query PAM if it isn't able to, and instead fail and display
an error message or something similar.

Best,
-- 
Josselin Poiret

[bug#57881] [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.

[路辉]

ok, I will take some time to fix it.

2022-09-18 20:05 GMT, Josselin Poiret <dev@jpoiret.xyz>:
> Hi,
>
> 路辉 <luhux76@gmail.com> writes:
>
>> hikari-unlocker need setuid and pam to work.
>>
>> if hikari exec a non-setuid hikari-unlocker, such as
>> "$HOME/.guix-profile/bin/hikari-unlocker", it will cause hikari's
>> lock-mode can't exit, only can press power button to exit it. :(
>>
>> https://hikari.acmelabs.space/manpage.html
>>
>> https://hub.darcs.net/raichoo/hikari/browse/src/lock_mode.c#71
>> From d1bedbc3c850cf0a60b182999c229079bad9cd99 Mon Sep 17 00:00:00 2001
>> From: Lu Hui <luhux76@gmail.com>
>> Date: Sat, 17 Sep 2022 20:10:34 +0800
>> Subject: [PATCH] gnu: hikari: only allow use setuid hikari-unlocker.
>>
>> * gnu/packages/wm.scm (hikari)
>> [phases]{force-use-setuid-unlocker}: replace "sh -c hikari-unlocker" to
>> "/run/setuid-programs/hikari-unlocker"
>
> On Guix system, /run/setuid-programs/ should be in front of whatever
> profiles you're using in your PATH, otherwise it will be shadowed by
> them.  With the default profile loading code in /etc/profile, this
> should be what happens but there might be issues with any non-default
> setup (ie. package not installed in the ~/.guix-profile/).
>
> To be honest, I'm not happy with hardcoding
> /run/setuid-programs/hikari-unlocker, since it won't work on foreign
> distros.
>
> Shouldn't we rather report this issue upstream?  I'm under the
> impression that the locker should detect that it isn't running suid and
> not try to query PAM if it isn't able to, and instead fail and display
> an error message or something similar.
>
> Best,
> --
> Josselin Poiret
>