Use shadow as a fallback if PAM is unavailable

WhyNotHugo · WhyNotHugo · commit 7f7d84d8ce01 · 2025-10-15T01:47:44.000+02:00
Allow building with PAM and/or shadow, instead of them build mutually
exclusive. This allows producing a single binary which can be used
on hosts with or without PAM installed.
diff --git a/backend.c b/backend.c
@@ -0,0 +1,64 @@
+#include "swaylock.h"
+#include "log.h"
+#include "config.h"
+#include <stdlib.h>
+
+#if !HAVE_PAM
+bool load_pam_library(void) {
+	return false;
+}
+
+bool is_pam_loaded(void) {
+	return false;
+}
+
+void initialize_pam_backend(int argc, char **argv) {
+	// Stub function - should never be called
+}
+
+void run_pam_backend_child(void) {
+	// Stub function - should never be called
+}
+#endif
+
+#if !HAVE_SHADOW
+void initialize_shadow_backend(int argc, char **argv) {
+	// Stub function - should never be called
+}
+
+void run_shadow_backend_child(void) {
+	// Stub function - should never be called
+}
+#endif
+
+void initialize_pw_backend(int argc, char **argv) {
+#if HAVE_PAM
+	if (load_pam_library()) {
+		swaylock_log(LOG_ERROR, "Initialising pam");
+		initialize_pam_backend(argc, argv);
+		return;
+	}
+#endif
+#if HAVE_SHADOW
+	swaylock_log(LOG_ERROR, "Initialising shadow");
+	initialize_shadow_backend(argc, argv);
+#else
+	swaylock_log(LOG_ERROR, "No authentication backend available");
+	exit(EXIT_FAILURE);
+#endif
+}
+
+void run_pw_backend_child(void) {
+#if HAVE_PAM
+	if (is_pam_loaded()) {
+		run_pam_backend_child();
+		return;
+	}
+#endif
+#if HAVE_SHADOW
+	run_shadow_backend_child();
+#else
+	swaylock_log(LOG_ERROR, "No authentication backend available");
+	exit(EXIT_FAILURE);
+#endif
+}
diff --git a/include/swaylock.h b/include/swaylock.h
@@ -140,8 +140,15 @@ void damage_state(struct swaylock_state *state);
 void clear_password_buffer(struct swaylock_password *pw);
 void schedule_auth_idle(struct swaylock_state *state);
 
+bool load_pam_library(void);
+bool is_pam_loaded(void);
+
 void initialize_pw_backend(int argc, char **argv);
+void initialize_pam_backend(int argc, char **argv);
+void initialize_shadow_backend(int argc, char **argv);
 void run_pw_backend_child(void);
+void run_pam_backend_child(void);
+void run_shadow_backend_child(void);
 void clear_buffer(char *buf, size_t size);
 
 #endif
diff --git a/meson.build b/meson.build
@@ -93,6 +93,7 @@ dependencies = [
 
 sources = [
 	'background-image.c',
+	'backend.c',
 	'cairo.c',
 	'comm.c',
 	'log.c',
@@ -108,13 +109,19 @@ sources = [
 
 if libpam.found()
 	sources += ['pam.c']
-else
+endif
+
+if get_option('shadow').enabled()
 	warning('The swaylock binary must be setuid when compiled without libpam')
 	warning('You must do this manually post-install: chmod a+s /path/to/swaylock')
 	sources += ['shadow.c']
 	dependencies += [crypt]
 endif
 
+if not libpam.found() and not get_option('shadow').enabled()
+	error('At least one of PAM or shadow support must be enabled.')
+endif
+
 swaylock_inc = include_directories('include')
 
 executable('swaylock',
@@ -155,3 +162,8 @@ if scdoc.found()
 endif
 
 subdir('completions')
+
+summary({
+	'pam': libpam.found(),
+	'shadow': get_option('shadow').enabled(),
+}, bool_yn: true)
diff --git a/meson_options.txt b/meson_options.txt
@@ -1,4 +1,5 @@
-option('pam', type: 'feature', value: 'auto', description: 'Use PAM instead of shadow')
+option('pam', type: 'feature', value: 'auto', description: 'Enabled PAM support')
+option('shadow', type: 'feature', value: 'auto', description: 'Enabled shadow support')
 option('gdk-pixbuf', type: 'feature', value: 'auto', description: 'Enable support for more image formats')
 option('man-pages', type: 'feature', value: 'auto', description: 'Generate and install man pages')
 option('zsh-completions', type: 'boolean', value: true, description: 'Install zsh shell completions')
diff --git a/pam.c b/pam.c
@@ -21,7 +21,7 @@ static int (*fp_pam_authenticate)(pam_handle_t *, int) = NULL;
 static int (*fp_pam_end)(pam_handle_t *, int) = NULL;
 static int (*fp_pam_setcred)(pam_handle_t *, int) = NULL;
 
-static bool load_pam_library(void) {
+bool load_pam_library(void) {
 	pam_handle = dlopen("libpam.so.0", RTLD_NOW);
 	if (!pam_handle) {
 		swaylock_log(LOG_ERROR, "Failed to load libpam.so.0: %s", dlerror());
@@ -42,14 +42,18 @@ static bool load_pam_library(void) {
 	return true;
 }
 
+bool is_pam_loaded(void) {
+	return pam_handle != NULL;
+}
+
 static void unload_pam_library(void) {
 	if (pam_handle) {
 		dlclose(pam_handle);
 		pam_handle = NULL;
 	}
 }
 
-void initialize_pw_backend(int argc, char **argv) {
+void initialize_pam_backend(int argc, char **argv) {
 	if (getuid() != geteuid() || getgid() != getegid()) {
 		swaylock_log(LOG_ERROR,
 			"swaylock is setuid, but was compiled with the PAM"
@@ -107,11 +111,7 @@ static const char *get_pam_auth_error(int pam_status) {
 	}
 }
 
-void run_pw_backend_child(void) {
-	if (!load_pam_library()) {
-		exit(EXIT_FAILURE);  // Fall back or exit if desired
-	}
-
+void run_pam_backend_child(void) {
 	struct passwd *passwd = getpwuid(getuid());
 	if (!passwd) {
 		swaylock_log_errno(LOG_ERROR, "getpwuid failed");
diff --git a/shadow.c b/shadow.c
@@ -18,7 +18,7 @@
 
 char *encpw = NULL;
 
-void initialize_pw_backend(int argc, char **argv) {
+void initialize_shadow_backend(int argc, char **argv) {
 	/* This code runs as root */
 	struct passwd *pwent = getpwuid(getuid());
 	if (!pwent) {
@@ -61,7 +61,7 @@ void initialize_pw_backend(int argc, char **argv) {
 	encpw = NULL;
 }
 
-void run_pw_backend_child(void) {
+void run_shadow_backend_child(void) {
 	assert(encpw != NULL);
 	while (1) {
 		char *buf;
