setuid wrongly required with TCB shadow

[lanodan]

0 $ swaylock
2021-04-27 13:10:07 - [swaylock-1.5/shadow.c:19] swaylock needs to be setuid to read /etc/shadow
1 $ ls -lah /etc/tcb/$(id -un)/shadow
-rw------- 1 haelwenn shadow 135 Apr 13 11:50 /etc/tcb/haelwenn/shadow
0 $ doas stat /etc/shadow
stat: cannot statx '/etc/shadow': No such file or directory
0 $ grep '^shadow:' /etc/nsswitch.conf 
shadow:     tcb compat
0 $

TCB shadow is described at https://www.openwall.com/tcb/, it is supported natively in musl libc and otherwise via libnss_tcb.so as configured for me in /etc/nsswitch.conf. It's probably also not required with other alternative authentication methods and looking into shadow.c there is already code to handle fails in getpwuid & getspnam.

[emersion]

Patches welcome.

[sertonix]

Does it work if you remove this safety check? https://github.com/swaywm/swaylock/blob/91bb96811054e66022b109e269a4fabaa2221e2b/shadow.c#L18-L22