From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
To: kbd@lists.altlinux.org
Subject: [kbd] [PATCH] vlock: allow sudo user to unlock his session
Date: Sat, 1 Aug 2020 16:19:59 +0300 [thread overview]
Message-ID: <019c50c1-6190-700c-3c32-03b84973ee2b@rosalinux.ru> (raw)
https://github.com/legionus/kbd/pull/45
If a non-root user ran sth like "sudo -i" and vlock'ed from inside it,
then that user himself should be able to unlock his console.
[user@HP-Elite-7300 tmp]$ echo $LOGNAME
user
[user@HP-Elite-7300 tmp]$ sudo -i
root@HP-Elite-7300:~# echo $LOGNAME
root
root@HP-Elite-7300:~# echo $SUDO_USER
user
root@HP-Elite-7300:~#
Tested on rosa2019.1 + kbd 2.2.0 + this patch:
[root@rosa-2019 kbd]# su - user
[user@rosa-2019 ~]$ sudo -i
[sudo] password for user:
[root@rosa-2019 ~]# vlock
Данное устройство tty (console) не является виртуальной консолью.
Блокировка console установлена user.
Пароль:
[root@rosa-2019 ~]#
sudo root session was successfully unlocked with user's password.
[root@rosa-2019 ~]# unset SUDO_USER
[root@rosa-2019 ~]# vlock
Данное устройство tty (console) не является виртуальной консолью.
Блокировка console установлена root.
Пароль:
root password is requested without $SUDO_ENV.
Another vlock implementation [1, 2] does not check that UIDs match,
I do not see sense in this check, removing it to make what I want work.
[1] Another vlock implementation: https://github.com/WorMzy/vlock
[2] My similar patch for it: https://github.com/mikhailnov/vlock/commit/ba38d5d563cdfaad3b2f260248b3434c235a7afd
---
src/vlock/username.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/vlock/username.c b/src/vlock/username.c
index a26a148..4c6d295 100644
--- a/src/vlock/username.c
+++ b/src/vlock/username.c
@@ -40,17 +40,18 @@ get_username(void)
{
const char *name;
struct passwd *pw = 0;
+ char *logname = NULL;
uid_t uid = getuid();
- char *logname = getenv("LOGNAME");
+ /* If a non-root runs a sudo session, ask for user's
+ * password to unlock it, not root's password */
+ logname = getenv("SUDO_USER");
+ if (logname == NULL)
+ logname = getenv("LOGNAME");
- if (logname) {
- pw = getpwnam(logname);
- /* Ensure uid is same as current. */
- if (pw && pw->pw_uid != uid)
- pw = 0;
- }
- if (!pw)
+ pw = getpwnam(logname);
+
+ if (!pw && uid)
pw = getpwuid(uid);
if (!pw)
--
Please CC me when replying, I am not subscribed to kbd@lists.altlinux.org
The same patch was submited as a pull request on Github: https://github.com/legionus/kbd/pull/45
next reply other threads:[~2020-08-01 13:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-01 13:19 Mikhail Novosyolov [this message]
2020-08-09 16:08 ` [kbd] [PATCH] vlock: allow sudo user to unlock his session Alexey Gladkov
2020-08-09 20:50 ` Mikhail Novosyolov
2020-08-10 11:16 ` Alexey Gladkov
2020-08-23 17:47 ` Михаил Новоселов
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=019c50c1-6190-700c-3c32-03b84973ee2b@rosalinux.ru \
--to=m.novosyolov@rosalinux.ru \
--cc=kbd@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).