Open strelec opened 2 years ago
kennylevinsen
commented
2 years ago This usually indicates that swaylock is run as actual root, rather than being run as a user and having SUID upgrade privileges.
It should be notes that the preferred use is through PAM, not through SUID and the built-in shadow handling.
strelec
commented
2 years ago Strange, because the user is not root, but my user account
~ whoami
rok
~ swaylock
2022-07-02 13:35:50 - [swaylock-1.6/shadow.c:36] Unable to drop root (we shouldn't be able to restore it after setuid): SuccessIt should be notes that the preferred use is through PAM, not through SUID and the built-in shadow handling.
Right, but these times it is better to have a lean system, as less code means less potential security vulnerabilities. PAM seems bloated, compared to lean approach of sway.
kennylevinsen
commented
2 years ago Right, but these times it is better to have a lean system, as less code means less potential security vulnerabilities. PAM seems bloated, compared to lean approach of sway.
PAM is under far more scrutiny than our swaylock SUID helper, so from a security standpoint it is the better solution.
Whether something is "bloated" is subjective.
Strange, because the user is not root, but my user account
Hmm, I will have to take a look.
sysophe
commented
10 months ago Seems like the reason could be file capabilities set (CAP_SYS_ADMIN) by Gentoo if USE="-pam filecaps"..
See also Gentoo Bug 921584 where I propose fixing the applied capability as well as a basic patch to make swaylock work with file capabilities (but that way would not solve issue #175 ). A more complete patch may also rather use libcap than performing syscalls directly in order to be less Linux-only.
OS: Linux Gentoo
I have setuid on my swaylock binary:
However, when attempting to use it, it cannot drop root: