1 /* passwd-helper.c --- verifying typed passwords with external helper program
2 * written by Olaf Kirch <okir@suse.de>
3 * xscreensaver, Copyright (c) 1993-2004 Jamie Zawinski <jwz@jwz.org>
5 * Permission to use, copy, modify, distribute, and sell this software and its
6 * documentation for any purpose is hereby granted without fee, provided that
7 * the above copyright notice appear in all copies and that both that
8 * copyright notice and this permission notice appear in supporting
9 * documentation. No representations are made about the suitability of this
10 * software for any purpose. It is provided "as is" without express or
14 /* The idea here is to be able to run xscreensaver without any setuid bits.
15 * Password verification happens through an external program that you feed
16 * your password to on stdin. The external command is invoked with a user
19 * The external helper does whatever authentication is necessary. Currently,
20 * SuSE uses "unix2_chkpwd", which is a variation of "unix_chkpwd" from the
23 * Normally, the password helper should just authenticate the calling user
24 * (i.e. based on the caller's real uid). This is in order to prevent
25 * brute-forcing passwords in a shadow environment. A less restrictive
26 * approach would be to allow verifying other passwords as well, but always
27 * with a 2 second delay or so. (Not sure what SuSE's "unix2_chkpwd"
29 * -- Olaf Kirch <okir@suse.de>, 16-Dec-2003
36 #ifndef NO_LOCKING /* whole file */
43 extern char *blurb(void);
48 #include <sys/types.h>
54 extern void block_sigchld (void);
55 extern void unblock_sigchld (void);
58 ext_run (const char *user, const char *typed_passwd, int verbose_p)
67 fprintf (stderr, "%s: ext_run (%s, %s)\n",
68 blurb(), PASSWD_HELPER_PROGRAM, user);
72 if ((pid = fork()) < 0) {
83 /* Helper is invoked as helper service-name [user] */
84 execlp(PASSWD_HELPER_PROGRAM, PASSWD_HELPER_PROGRAM, "xscreensaver", user, NULL);
86 fprintf(stderr, "%s: %s\n", PASSWD_HELPER_PROGRAM,
93 /* Write out password to helper process */
96 write(pfd[1], typed_passwd, strlen(typed_passwd));
99 while (waitpid(pid, &status, 0) < 0) {
103 fprintf(stderr, "%s: ext_run: waitpid failed: %s\n",
104 blurb(), strerror(errno));
111 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
118 /* This can be called at any time, and says whether the typed password
119 belongs to either the logged in user (real uid, not effective); or
123 ext_passwd_valid_p (const char *typed_passwd, int verbose_p)
128 if ((pw = getpwuid(getuid())) != NULL)
129 res = ext_run (pw->pw_name, typed_passwd, verbose_p);
133 res = ext_run ("root", typed_passwd, verbose_p);
140 ext_priv_init (int argc, char **argv, int verbose_p)
142 /* Make sure the passwd helper exists */
143 if (access(PASSWD_HELPER_PROGRAM, X_OK) < 0) {
145 "%s: warning: %s does not exist.\n"
146 "%s: password authentication via "
147 "external helper will not work.\n",
148 blurb(), PASSWD_HELPER_PROGRAM, blurb());
154 #endif /* NO_LOCKING -- whole file */