howdy: add waitpid patch

NixOS · Nov 17, 2024 · 463e5ac · 463e5ac
1 parent 4c0f474
commit 463e5ac
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/pkgs/by-name/ho/howdy/package.nix b/pkgs/by-name/ho/howdy/package.nix
@@ -83,6 +83,11 @@ stdenv.mkDerivation {
   patches = [
     # Don't install the config file. We handle it in the module.
     ./dont-install-config.patch
+
+    # Wait for the direct child process (auth client), and not ANY child
+    # process, which may allow authentication when it shouldn't
+    # https://github.com/boltgolt/howdy/issues/969
+    ./waitpid.patch
   ];
 
   mesonFlags = [

diff --git a/pkgs/by-name/ho/howdy/waitpid.patch b/pkgs/by-name/ho/howdy/waitpid.patch
@@ -0,0 +1,13 @@
+diff --git a/howdy/src/pam/main.cc b/howdy/src/pam/main.cc
+index d1b8e34..8498655 100644
+--- a/howdy/src/pam/main.cc
++++ b/howdy/src/pam/main.cc
+@@ -290,7 +290,7 @@ auto identify(pam_handle_t *pamh, int flags, int argc, const char **argv,
+   // zombie process)
+   optional_task<int> child_task([&] {
+     int status;
+-    wait(&status);
++    waitpid(child_pid, &status, 0);
+     {
+       std::unique_lock<std::mutex> lock(mutx);
+       if (confirmation_type == ConfirmationType::Unset) {