Age | Commit message (Collapse) | Author |
|
Make sure to explicitly clear memory that is used for password input. memset
is often optimized out by the compiler.
Brought to attention by the OpenBSD community, see:
https://marc.info/?t=146989502600003&r=1&w=2
Thread subject: x11/slock: clear passwords with explicit_bzero
Changes:
- explicit_bzero.c import from libressl-portable.
- Makefile: add COMPATSRC for compatibility src.
- config.mk: add separate *BSD section in config.mk to simply uncomment it on
these platforms.
|
|
This reverts most of commit a6dc051e3744ce5b14c54d2d246d3e8258207e76 and fixes
some related stuff:
- keep spelling fixes from original commit
- make -h and -v also work when followed by more arguments
- any unknown flag prints usage
- fix output of -v to display "slock: version 1.3" instead of "slock: slock-1.3"
|
|
- use hardcoded "slock" instead of argv[0]
- add "slock: " to fprintf calls, where it was missing
- revert `argc--, argv++` shifting
|
|
|
|
There are 2 arguments why -v and -h are broken:
1) if you are running off git, -v will show the last stable
release, effectively making this option useless.
people running stable versions leave open an attack surface
this way in case there are vulnerabilities found.
99% of the people are also using package managers to keep
their software up to date, instead of running $TOOL -v to
check how old it is.
2) -h is a sad excuse for not just looking at the manual page
(man 1 slock). Given we accept a post_lock_command, we can't
be as liberal and just intercept certain flags.
I changed the manpage to reflect this change.
|
|
Clear up the wording a bit and explain what failonclear means.
|
|
There really is no need to source a defined variable from a linux
header. The OOM-rank ranges from -1000 to 1000, so we can safely
hardcode -1000, which is a sane thing to do given slock is suid and
we don't want to play around too much here anyway.
On another notice, let's not forget that this still is a shitty
heuristic. The OOM-killer still can kill us (thus I also changed
the wording in the error-message. We do not disable the OOM-killer,
we're just hiding.
|
|
|
|
It actually was 2014 and not 2015.
|
|
|
|
forgot that a while ago
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Adds another color in config.def.h, COLOR_INIT
- Renames the colours from numerical ones to ones with meaningful names;
COLOR_INPUT for when there is content in the input buffer and COLOR_EMPTY
for when the input buffer has been cleared (backspaced or a failed attempt).
- Ensures XFreeColors frees the right number of colours. This is now derived
from the size of `Lock->colors` rather than being an integer literal.
- Makes slock exhibit the behaviour described by Markus
The default colours are the same as the ones slock currently uses, with the
exception of the new color, which I have set to red, as it indicates someone
has either failed an attempt to unlock, or that they have entered input and
erased it all.
|
|
|
|
|
|
|
|
Calling them unconditionally can result in memory corruption.
|
|
Checking errno otherwise is unspecified.
|
|
Fix slock to work with /etc/passwd without /etc/shadow.
while we're at it, remove an occurence of trailing whitespace.
|
|
|
|
updated LICENSE file's copyright notice
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
persistence
|
|
|
|
|